561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43

Resubmissions

14/06/2024, 13:54

240614-q7y8nstbpf 7

14/06/2024, 13:52

240614-q6wq6axbnp 7

Analysis

max time kernel
32s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite-Cleaner.exe
Size

426KB
MD5

a158fb5bce9e7f3adf129939d25f96df
SHA1

28adc37dee6605dc90e521fdc1c3d8c9fee2eab1
SHA256

561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43
SHA512

5b2272fe5ec5a3fd3fd2dc0684817b7b917c81b8bbe0d50513acbd15c04e0a954d55fdf2632848f98004e4dd1eaf9c0475688ebceb97936d742338dd5a3198c5
SSDEEP

12288:G6R/iFHrLFmA/nsZIf2AKV1Biu5xgVuT:5pGLWZIf2fPYuDgV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Fortnite-Cleaner.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\usb.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAEFF6~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA5F5B~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAD3FA~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_cashdrawer.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl009.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmoto1.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAD42A~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netwns64.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA0910~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATCE~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_sslaccel.inf	cmd.exe
File opened for modification	C:\Windows\INF\wpdfs.inf	cmd.exe
File opened for modification	C:\Windows\INF\xboxgip.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmbw561.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdgitn.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmlucnt.inf	cmd.exe
File opened for modification	C:\Windows\INF\msports.inf	cmd.exe
File opened for modification	C:\Windows\INF\tape.inf	cmd.exe
File opened for modification	C:\Windows\INF\wmiacpi.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAE03C~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_extension.inf	cmd.exe
File opened for modification	C:\Windows\INF\megasas.inf	cmd.exe
File opened for modification	C:\Windows\INF\net7400-x64-n650.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7DC5~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAE3CF~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmtdkj5.inf	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\acpidev.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmagm64.inf	cmd.exe
File opened for modification	C:\Windows\INF\prnge001.inf	cmd.exe
File opened for modification	C:\Windows\INF\dwup.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmusrsp.inf	cmd.exe
File opened for modification	C:\Windows\INF\megasas2i.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\gthrctr.h	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA65EC~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmcm28.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 4.0.0.0\0407\_TransactionBridgePerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\netvf63a.inf	cmd.exe
File opened for modification	C:\Windows\INF\umbus.inf	cmd.exe
File opened for modification	C:\Windows\INF\wdmvsc.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2914~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\MEDIAM~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_biometric.inf	cmd.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_a2dp_snk.inf	cmd.exe
File opened for modification	C:\Windows\INF\rawsilo.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA589D~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\wmbclass_wmc_union.inf	cmd.exe
File opened for modification	C:\Windows\INF\wdmaudio.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LABD4B~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA87CD~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\ChargeArbitration.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmeric.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 4.0.0.0\0000\_TransactionBridgePerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\netwew01.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_volsnap.inf	cmd.exe
File opened for modification	C:\Windows\INF\wceisvista.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2215~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\btampm.inf	cmd.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_BXT_P.inf	cmd.exe
File opened for modification	C:\Windows\INF\msgpiowin32.inf	cmd.exe
File opened for modification	C:\Windows\INF\printupg.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\BROWSE~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA0AB7~1.MUM	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "192168118080-299721249818530"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "192168118080-29976-23247-362614727"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "192168118080-29976-23247-362614727"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
960	ipconfig.exe
4436	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2876	taskkill.exe
1444	taskkill.exe
1620	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 030012104073524172802436323855214221427781	reg.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Interface\ClsidStore = 3000210930154681062642602060528644309242378322418185164789	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\MSICache = 30012104073524172802436323855214221427781397318072	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3892	reg.exe
2084	reg.exe
3224	reg.exe
4004	reg.exe
2524	reg.exe
4548	reg.exe
4508	reg.exe
1956	reg.exe
4332	reg.exe
116	reg.exe
3456	reg.exe
2516	reg.exe
3916	reg.exe
3324	reg.exe
1288	reg.exe
3456	reg.exe
3344	reg.exe
4952	reg.exe
3372	reg.exe
3628	reg.exe
1584	reg.exe
724	reg.exe
1772	reg.exe
3636	reg.exe
4376	reg.exe
3576	reg.exe
3996	reg.exe
3864	reg.exe
5072	reg.exe
3780	reg.exe
3184	reg.exe
1596	reg.exe
3036	reg.exe
2572	reg.exe
5000	reg.exe
2804	reg.exe
2024	reg.exe
4560	reg.exe
2680	reg.exe
2804	reg.exe
2004	reg.exe
2024	reg.exe
4560	reg.exe
4908	reg.exe
416	reg.exe
4676	reg.exe
4216	reg.exe
4840	reg.exe
4536	reg.exe
4280	reg.exe
3860	reg.exe
2968	reg.exe
3556	reg.exe
4496	reg.exe
2308	reg.exe
3396	reg.exe
1620	reg.exe
4328	reg.exe
4300	reg.exe
2988	reg.exe
4060	reg.exe
4992	reg.exe
3816	reg.exe
2184	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
940	Fortnite-Cleaner.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 2024	940	Fortnite-Cleaner.exe	92
PID 940 wrote to memory of 2024	940	Fortnite-Cleaner.exe	92
PID 940 wrote to memory of 2724	940	Fortnite-Cleaner.exe	94
PID 940 wrote to memory of 2724	940	Fortnite-Cleaner.exe	94
PID 940 wrote to memory of 1800	940	Fortnite-Cleaner.exe	95
PID 940 wrote to memory of 1800	940	Fortnite-Cleaner.exe	95
PID 940 wrote to memory of 1600	940	Fortnite-Cleaner.exe	96
PID 940 wrote to memory of 1600	940	Fortnite-Cleaner.exe	96
PID 940 wrote to memory of 4940	940	Fortnite-Cleaner.exe	99
PID 940 wrote to memory of 4940	940	Fortnite-Cleaner.exe	99
PID 1600 wrote to memory of 2876	1600	cmd.exe	101
PID 1600 wrote to memory of 2876	1600	cmd.exe	101
PID 940 wrote to memory of 3828	940	Fortnite-Cleaner.exe	102
PID 940 wrote to memory of 3828	940	Fortnite-Cleaner.exe	102
PID 940 wrote to memory of 4452	940	Fortnite-Cleaner.exe	104
PID 940 wrote to memory of 4452	940	Fortnite-Cleaner.exe	104
PID 940 wrote to memory of 3036	940	Fortnite-Cleaner.exe	106
PID 940 wrote to memory of 3036	940	Fortnite-Cleaner.exe	106
PID 940 wrote to memory of 232	940	Fortnite-Cleaner.exe	109
PID 940 wrote to memory of 232	940	Fortnite-Cleaner.exe	109
PID 940 wrote to memory of 3316	940	Fortnite-Cleaner.exe	111
PID 940 wrote to memory of 3316	940	Fortnite-Cleaner.exe	111
PID 940 wrote to memory of 2776	940	Fortnite-Cleaner.exe	113
PID 940 wrote to memory of 2776	940	Fortnite-Cleaner.exe	113
PID 2776 wrote to memory of 1444	2776	cmd.exe	115
PID 2776 wrote to memory of 1444	2776	cmd.exe	115
PID 940 wrote to memory of 2516	940	Fortnite-Cleaner.exe	116
PID 940 wrote to memory of 2516	940	Fortnite-Cleaner.exe	116
PID 2516 wrote to memory of 1620	2516	cmd.exe	118
PID 2516 wrote to memory of 1620	2516	cmd.exe	118
PID 940 wrote to memory of 1772	940	Fortnite-Cleaner.exe	119
PID 940 wrote to memory of 1772	940	Fortnite-Cleaner.exe	119
PID 940 wrote to memory of 4668	940	Fortnite-Cleaner.exe	122
PID 940 wrote to memory of 4668	940	Fortnite-Cleaner.exe	122
PID 940 wrote to memory of 2400	940	Fortnite-Cleaner.exe	124
PID 940 wrote to memory of 2400	940	Fortnite-Cleaner.exe	124
PID 1772 wrote to memory of 2988	1772	cmd.exe	121
PID 1772 wrote to memory of 2988	1772	cmd.exe	121
PID 940 wrote to memory of 3384	940	Fortnite-Cleaner.exe	126
PID 940 wrote to memory of 3384	940	Fortnite-Cleaner.exe	126
PID 940 wrote to memory of 4328	940	Fortnite-Cleaner.exe	128
PID 940 wrote to memory of 4328	940	Fortnite-Cleaner.exe	128
PID 4328 wrote to memory of 3924	4328	cmd.exe	130
PID 4328 wrote to memory of 3924	4328	cmd.exe	130
PID 940 wrote to memory of 3008	940	Fortnite-Cleaner.exe	131
PID 940 wrote to memory of 3008	940	Fortnite-Cleaner.exe	131
PID 3008 wrote to memory of 4320	3008	cmd.exe	133
PID 3008 wrote to memory of 4320	3008	cmd.exe	133
PID 940 wrote to memory of 2180	940	Fortnite-Cleaner.exe	134
PID 940 wrote to memory of 2180	940	Fortnite-Cleaner.exe	134
PID 2180 wrote to memory of 2968	2180	cmd.exe	136
PID 2180 wrote to memory of 2968	2180	cmd.exe	136
PID 940 wrote to memory of 216	940	Fortnite-Cleaner.exe	137
PID 940 wrote to memory of 216	940	Fortnite-Cleaner.exe	137
PID 940 wrote to memory of 4524	940	Fortnite-Cleaner.exe	140
PID 940 wrote to memory of 4524	940	Fortnite-Cleaner.exe	140
PID 940 wrote to memory of 3932	940	Fortnite-Cleaner.exe	142
PID 940 wrote to memory of 3932	940	Fortnite-Cleaner.exe	142
PID 4524 wrote to memory of 3456	4524	cmd.exe	144
PID 4524 wrote to memory of 3456	4524	cmd.exe	144
PID 940 wrote to memory of 4196	940	Fortnite-Cleaner.exe	145
PID 940 wrote to memory of 4196	940	Fortnite-Cleaner.exe	145
PID 940 wrote to memory of 384	940	Fortnite-Cleaner.exe	147
PID 940 wrote to memory of 384	940	Fortnite-Cleaner.exe	147

C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
  2⤵
  PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
  2⤵
  PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:3828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s D:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:4452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s E:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s F:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  - Drops file in Windows directory
  PID:3316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\system32\reg.exe
    reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    - Modifies registry key
    PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:4668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:3384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 299662376915570807321872101792717530356599524510201434304 /f
    3⤵
    PID:3924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    PID:4320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 299662376915570807321872101792717530356599524510201434304 /f
    3⤵
    - Modifies registry key
    PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:216
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-29966 /f
    3⤵
    - Modifies registry key
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-29966 /f
    3⤵
    - Modifies registry key
    PID:3456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:3932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:4196
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 19216811808029969-1750-666-32137 /f
    3⤵
    PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-%random%-%random} /f
  2⤵
  PID:3984
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-29969-%random} /f
    3⤵
    - Modifies registry key
    PID:4004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:3036
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-299691750666 /f
    3⤵
    - Modifies registry key
    PID:2524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:892
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-29969 /f
    3⤵
    - Modifies registry key
    PID:3556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-29969 /f
    3⤵
    - Modifies registry key
    PID:3576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-299721249818530 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29972-12498-1853023432} /f
    3⤵
    - Modifies registry key
    PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29972-12498-1853023432} /f
    3⤵
    - Modifies registry key
    PID:4216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:4840
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-29972-12498-1853023432} /f
    3⤵
    - Modifies registry key
    PID:4496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2112
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-29972-12498-1853023432 /f
    3⤵
    - Modifies registry key
    PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-29972-12498-1853023432 /f
    3⤵
    - Modifies registry key
    PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3904
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-29976-23247-362614727 /f
    3⤵
    PID:4532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29976-23247-362614727 /f
    3⤵
    PID:3648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29976-23247-362614727 /f
    3⤵
    - Modifies registry key
    PID:5000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2308
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-29976-23247-362614727 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:3456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-29976-23247-362614727 /f
    3⤵
    - Enumerates system info in registry
    PID:1220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:3596
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-29976-23247-362614727} /f
    3⤵
    - Modifies registry key
    PID:3892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:3828
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-29979-1227-214906023} /f
    3⤵
    PID:680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-29979 /f
    3⤵
    - Modifies registry key
    PID:416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:4380
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 29979 /f
    3⤵
    - Modifies registry key
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:4908
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 29979 /f
    3⤵
    PID:892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1444
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-29979 /f
    3⤵
    PID:1100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2096
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {19216811808029979-1227-21490-602330362} /f
    3⤵
    - Modifies registry key
    PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {19216811808029982-11975-6587-300867909} /f
    3⤵
    - Modifies registry key
    PID:724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29982 /f
    3⤵
    - Modifies registry key
    PID:3996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:4416
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 29982 /f
    3⤵
    - Modifies registry key
    PID:4840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 29982 /f
    3⤵
    - Modifies registry key
    PID:1772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 29982-11975-6587-30086 /f
    3⤵
    PID:3484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:4448
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 19216811808029982-11975-6587-30086 /f
    3⤵
    PID:3904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:3468
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 19216811808029986-22724-24451-21381 /f
    3⤵
    - Modifies registry key
    PID:4676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 192168118080%random% /f
  2⤵
  PID:1968
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 19216811808029986 /f
    3⤵
    - Modifies registry key
    PID:3372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:4060
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 29986 /f
    3⤵
    - Modifies registry key
    PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 29986 /f
    3⤵
    - Modifies registry key
    PID:3916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%} /f
  2⤵
  PID:3860
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {19216811808029986-22724-24451-21381} /f
    3⤵
    - Modifies registry key
    PID:3324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:3548
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    - Modifies registry key
    PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 29986-22724-24451-2138118224 /f
    3⤵
    - Modifies registry key
    PID:3344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:4548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    - Modifies registry key
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:3748
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    - Modifies registry key
    PID:3396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:3576
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:3864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:524
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:4644
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:4508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:3308
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    - Modifies registry key
    PID:4328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3924
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-29992-11453-274113972 /f
    3⤵
    - Modifies registry key
    PID:5072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4504
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-29992-11453-274113972 /f
    3⤵
    PID:3184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3648
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-29995-22201-1250728035 /f
    3⤵
    - Modifies registry key
    PID:4300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-29995-22201-1250728035 /f
    3⤵
    - Modifies registry key
    PID:4560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4524
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-29995-22201-1250728035 /f
    3⤵
    PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4576
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-29995-22201-1250728035 /f
    3⤵
    PID:4004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:3396
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:4376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:5096
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:724
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:3780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 3000210930154681062642602060528644309242378322418185164789 /f
    3⤵
    - Modifies registry class
    PID:4916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-30002-10930-1546810626 /f
    3⤵
    PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-30002-10930-1546810626 /f
    3⤵
    - Modifies registry key
    PID:3816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-30002-10930-1546810626 /f
    3⤵
    PID:3392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:3740
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    - Modifies registry key
    PID:3184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-30005-21678-5641921 /f
    3⤵
    PID:4284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-30005-21678-5641921 /f
    3⤵
    - Modifies registry key
    PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:3720
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    - Modifies registry key
    PID:4560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:3812
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:3756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:4876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:3880
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:3652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:2184
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    - Modifies registry key
    PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:4000
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    - Modifies registry key
    PID:4536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:3664
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    - Modifies registry key
    PID:4908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
  2⤵
  PID:3536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:3628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
  2⤵
  PID:3992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3780
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 300121040735241728024363238552142214277813973180724921 /f
    3⤵
    - Modifies registry key
    PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 30012104073524172802436323855214221427781397318072 /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 300121040735241728024363238552142214277813973 /f
    3⤵
    PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:3896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4676
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 300121040735241728024363238552142214277813973180724921 /f
    3⤵
    - Modifies registry key
    PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2968
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 300121040735241728024363238552142214277813973180724921 /f
    3⤵
    - Modifies registry key
    PID:4332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:3468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4436
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 30012104073524172802436323855214221427781 /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry key
    PID:3860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3132
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 30012104073524172802436323855214221427781 /f
    3⤵
    PID:4524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3976
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 300152115521388857512751354383261921524293 /f
    3⤵
    - Modifies registry key
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:3492
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4536
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 300152115521388 /f
    3⤵
    - Modifies registry key
    PID:3224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2388
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 300152115521388 /f
    3⤵
    - Modifies registry key
    PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:4376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 300152115521388 /f
    3⤵
    - Modifies registry key
    PID:4952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:1332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:708
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 300152115521388 /f
    3⤵
    PID:1196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
  2⤵
  PID:3660
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 30015211552138885751275135438326192152429330593179244965 /f
    3⤵
    PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {30015-21155-213888575} /f
    3⤵
    - Modifies registry key
    PID:4992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:4320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:4448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:3648
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:5000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
  2⤵
  PID:4408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:4652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:3344
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:1104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
  2⤵
  PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
  2⤵
  PID:212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
  2⤵
  PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
  2⤵
  PID:3576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
  2⤵
  PID:2776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
  2⤵
  PID:3160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
  2⤵
  PID:1216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
  2⤵
  PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
  2⤵
  PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
  2⤵
  PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
  2⤵
  PID:3740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
  2⤵
  PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
  2⤵
  PID:2332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:1892
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
  2⤵
  PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:4140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
  2⤵
  PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INT IP RESET
  2⤵
  PID:768
- - C:\Windows\system32\netsh.exe
    NETSH INT IP RESET
    3⤵
    PID:2524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
  2⤵
  PID:5088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
  2⤵
  PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
  2⤵
  PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
  2⤵
  PID:3628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV4 RESET
  2⤵
  PID:3864
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV4 RESET
    3⤵
    PID:4916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
  2⤵
  PID:4508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
  2⤵
  PID:3152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
  2⤵
  PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV6 RESET
  2⤵
  PID:2432
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3188
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV6 RESET
    3⤵
    PID:3924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
  2⤵
  PID:4320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
  2⤵
  PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
  2⤵
  PID:452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
  2⤵
  PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE TCP RESET
  2⤵
  PID:4504
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE TCP RESET
    3⤵
    PID:3860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /RELEASE
  2⤵
  PID:4196
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
  2⤵
  PID:4652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /FLUSHDNS
  2⤵
  PID:3108
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /FLUSHDNS
    3⤵
    - Gathers network information
    PID:4436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
  2⤵
  PID:4272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
  2⤵
  PID:2500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -R
  2⤵
  PID:3848
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -R
    3⤵
    PID:3600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
  2⤵
  PID:4312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -RR
  2⤵
  PID:1444
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -RR
    3⤵
    PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
  2⤵
  PID:3492
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads