c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/Trinity Cleaner.exe
Size

752KB
MD5

5ff39c44ff3eaf7798bffa670fb4b600
SHA1

cd22cc93964fdeb470460642c44fd4ce31f3bf1e
SHA256

fd5d49ac3a9a4130261f43ef6e6c9c6a4a317e7ba421f88e22e0fbe96fd45429
SHA512

6ec8f1e38d78a773f8b0764f7aa5d8902c8c556a2583bdf62b6485e093c8a193b5965e3d908abe60d80b0fc690e2def7721aa896f14f6e77c80f72aa11fa3878
SSDEEP

12288:FBTyBtZmiNYQtIFc5oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JP:eBtZicIFc5oiJfJulj1CBMeIFjKuQdGP

Score

10^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
4960	Process not Found

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2948	Process not Found

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 470078006a006a0037007500680030005a0063006400300032004a00470061007000360049005200340033007100610075006a0045006e004f0037005900760039003400630035004c00760020000000	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trinity Cleaner.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\mdmzoom.inf	cmd.exe
File opened for modification	C:\Windows\INF\netk57a.inf	Process not Found
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0411\PerfCounters_d.ini	Process not Found
File opened for modification	C:\Windows\INF\bthprint.inf	Process not Found
File opened for modification	C:\Windows\INF\hidserv.inf	Process not Found
File opened for modification	C:\Windows\INF\WINDOW~1.0\0410\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmomrn3.inf	cmd.exe
File opened for modification	C:\Windows\INF\SensorsHidClassDriver.inf	Process not Found
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA35A0~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\mvumis.inf	Process not Found
File opened for modification	C:\Windows\INF\LSM\0407\lagcounterdef.ini	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7F6C~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netwlv64.inf	cmd.exe
File opened for modification	C:\Windows\INF\mlx4_bus.inf	cmd.exe
File opened for modification	C:\Windows\INF\HidTelephonyDriver.inf	Process not Found
File opened for modification	C:\Windows\INF\sti.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmzyxlg.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAFA3D~1.MUM	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA1123~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\c_display.inf	cmd.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_BXT_P.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\APPWIR~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0410\PerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\amdgpio2.inf	Process not Found
File opened for modification	C:\Windows\INF\BITS\0409\bitsctrs.ini	Process not Found
File opened for modification	C:\Windows\INF\mdmgl005.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\msdtcprf.h	cmd.exe
File opened for modification	C:\Windows\INF\nulhpopr.inf	cmd.exe
File opened for modification	C:\Windows\INF\SDFLauncher.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmrock4.inf	cmd.exe
File opened for modification	C:\Windows\INF\msdri.inf	Process not Found
File opened for modification	C:\Windows\INF\pnpxinternetgatewaydevices.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA633A~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\mdmmct.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmetech.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmusrk1.inf	cmd.exe
File opened for modification	C:\Windows\INF\rndiscmp.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA5221~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\hidirkbd.inf	Process not Found
File opened for modification	C:\Windows\INF\iastorav.inf	Process not Found
File opened for modification	C:\Windows\INF\volsnap.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA9921~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_avc.inf	cmd.exe
File opened for modification	C:\Windows\INF\sdstor.inf	Process not Found
File opened for modification	C:\Windows\INF\SmartSAMD.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LACFC1~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\fontsetup.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmsonyu.inf	Process not Found
File opened for modification	C:\Windows\INF\MSDTC\0000\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\mssmbios.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA8E21~1.MUM	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA992A~1.MUM	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D49~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netevbda.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgcs.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\0C0A\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0C0A\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\sisraid2.inf	Process not Found
File opened for modification	C:\Windows\INF\WindowsTrustedRTProxy.inf	cmd.exe
File opened for modification	C:\Windows\INF\ehstortcgdrv.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmnis3t.inf	Process not Found
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_CNL.inf	Process not Found
File opened for modification	C:\Windows\INF\microsoft_bluetooth_hfp.inf	cmd.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3716	sc.exe
2344	sc.exe
3944	sc.exe
1040	sc.exe
3136	sc.exe
556	sc.exe
1708	sc.exe
4020	sc.exe
4116	sc.exe
4484	sc.exe
4392	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1464	reg.exe
560	cmd.exe
2300	Process not Found
4856	cmd.exe
2768	cmd.exe
3136	reg.exe
2036	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "cj8Rdfn0kxqbQ25hmue8s0dmT19bbXW0X7Mmu8 "	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "25470-23301212948680"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "25476-12030"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion = "25476-12030"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "25434-3372-21396-61286804"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "25444-2850-9453-127824980"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "25476-12030"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion = "25476-12030"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "25431-25392353214833"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "25470-23301212948680"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "oqrsr45ii6q1R9tuLwnn7t01F4Omuvg83SSTtD "	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Trinity Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "25434-3372-21396-61286804"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "25476-12030"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "25476-12030"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "/ve"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Trinity Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "25476-12030"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "/ve"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "25476-12030"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "25476-12030"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "25444-2850945312782"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "25444-2850-9453-127824980"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "25470-23301212948680"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4200	Process not Found
164	Process not Found

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4560	Process not Found

Kills process with taskkill 6 IoCs

evasion

pid	Process
5008	taskkill.exe
4544	taskkill.exe
1080	taskkill.exe
3620	taskkill.exe
3800	taskkill.exe
2608	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 0254402486924356214862743316095186842626414046	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 0254502434612413281402560927875280211748230812	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies\MSICache = 02544024869243562148627433160951868426264140462968230579	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies\MSICache = 02545024346124132814025609278752802117482308121123730135	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface\ClsidStore = 2543714121649230191171181216815572291913030230623072712092	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface\ClsidStore = 254502434612413281402560927875280211748230812112373013512268	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1784	reg.exe
2656	reg.exe
2508	reg.exe
888	reg.exe
932	reg.exe
3524	reg.exe
3256	reg.exe
3664	reg.exe
980	reg.exe
4920	reg.exe
1292	reg.exe
4344	reg.exe
2044	reg.exe
564	reg.exe
4388	reg.exe
3796	Process not Found
2420	reg.exe
2436	reg.exe
5088	reg.exe
2008	reg.exe
4232	reg.exe
5020	reg.exe
3092	reg.exe
1644	reg.exe
1020	reg.exe
932	reg.exe
2148	reg.exe
2568	reg.exe
4788	reg.exe
3212	reg.exe
4432	reg.exe
3780	reg.exe
3160	reg.exe
3236	reg.exe
2672	reg.exe
1668	reg.exe
4692	reg.exe
1888	reg.exe
4956	reg.exe
4368	reg.exe
2300	reg.exe
4036	reg.exe
3620	reg.exe
2376	reg.exe
3076	reg.exe
100	reg.exe
4508	reg.exe
3280	reg.exe
2884	reg.exe
5008	reg.exe
4036	reg.exe
1140	reg.exe
2560	reg.exe
5072	reg.exe
4552	reg.exe
4708	reg.exe
404	reg.exe
4088	Process not Found
2256	reg.exe
3064	reg.exe
2928	reg.exe
1928	reg.exe
2072	reg.exe
2340	reg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeBackupPrivilege	3888	Process not Found
Token: SeRestorePrivilege	3888	Process not Found
Token: SeAuditPrivilege	3888	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 412	5116	Trinity Cleaner.exe	90
PID 5116 wrote to memory of 412	5116	Trinity Cleaner.exe	90
PID 412 wrote to memory of 4544	412	cmd.exe	91
PID 412 wrote to memory of 4544	412	cmd.exe	91
PID 5116 wrote to memory of 4856	5116	Trinity Cleaner.exe	94
PID 5116 wrote to memory of 4856	5116	Trinity Cleaner.exe	94
PID 4856 wrote to memory of 1080	4856	cmd.exe	95
PID 4856 wrote to memory of 1080	4856	cmd.exe	95
PID 5116 wrote to memory of 2508	5116	Trinity Cleaner.exe	96
PID 5116 wrote to memory of 2508	5116	Trinity Cleaner.exe	96
PID 2508 wrote to memory of 3620	2508	cmd.exe	97
PID 2508 wrote to memory of 3620	2508	cmd.exe	97
PID 5116 wrote to memory of 3956	5116	Trinity Cleaner.exe	98
PID 5116 wrote to memory of 3956	5116	Trinity Cleaner.exe	98
PID 3956 wrote to memory of 2376	3956	cmd.exe	99
PID 3956 wrote to memory of 2376	3956	cmd.exe	99
PID 5116 wrote to memory of 3120	5116	Trinity Cleaner.exe	100
PID 5116 wrote to memory of 3120	5116	Trinity Cleaner.exe	100
PID 3120 wrote to memory of 2516	3120	cmd.exe	101
PID 3120 wrote to memory of 2516	3120	cmd.exe	101
PID 5116 wrote to memory of 2080	5116	Trinity Cleaner.exe	102
PID 5116 wrote to memory of 2080	5116	Trinity Cleaner.exe	102
PID 2080 wrote to memory of 4956	2080	cmd.exe	103
PID 2080 wrote to memory of 4956	2080	cmd.exe	103
PID 5116 wrote to memory of 1292	5116	Trinity Cleaner.exe	104
PID 5116 wrote to memory of 1292	5116	Trinity Cleaner.exe	104
PID 1292 wrote to memory of 2420	1292	cmd.exe	105
PID 1292 wrote to memory of 2420	1292	cmd.exe	105
PID 5116 wrote to memory of 888	5116	Trinity Cleaner.exe	106
PID 5116 wrote to memory of 888	5116	Trinity Cleaner.exe	106
PID 888 wrote to memory of 2632	888	cmd.exe	107
PID 888 wrote to memory of 2632	888	cmd.exe	107
PID 5116 wrote to memory of 5036	5116	Trinity Cleaner.exe	108
PID 5116 wrote to memory of 5036	5116	Trinity Cleaner.exe	108
PID 5036 wrote to memory of 1760	5036	cmd.exe	109
PID 5036 wrote to memory of 1760	5036	cmd.exe	109
PID 5116 wrote to memory of 4452	5116	Trinity Cleaner.exe	110
PID 5116 wrote to memory of 4452	5116	Trinity Cleaner.exe	110
PID 4452 wrote to memory of 880	4452	cmd.exe	111
PID 4452 wrote to memory of 880	4452	cmd.exe	111
PID 5116 wrote to memory of 904	5116	Trinity Cleaner.exe	112
PID 5116 wrote to memory of 904	5116	Trinity Cleaner.exe	112
PID 904 wrote to memory of 3540	904	cmd.exe	113
PID 904 wrote to memory of 3540	904	cmd.exe	113
PID 5116 wrote to memory of 3428	5116	Trinity Cleaner.exe	114
PID 5116 wrote to memory of 3428	5116	Trinity Cleaner.exe	114
PID 3428 wrote to memory of 4920	3428	cmd.exe	115
PID 3428 wrote to memory of 4920	3428	cmd.exe	115
PID 5116 wrote to memory of 4448	5116	Trinity Cleaner.exe	116
PID 5116 wrote to memory of 4448	5116	Trinity Cleaner.exe	116
PID 4448 wrote to memory of 2436	4448	cmd.exe	117
PID 4448 wrote to memory of 2436	4448	cmd.exe	117
PID 5116 wrote to memory of 3140	5116	Trinity Cleaner.exe	118
PID 5116 wrote to memory of 3140	5116	Trinity Cleaner.exe	118
PID 3140 wrote to memory of 1512	3140	cmd.exe	119
PID 3140 wrote to memory of 1512	3140	cmd.exe	119
PID 5116 wrote to memory of 2688	5116	Trinity Cleaner.exe	120
PID 5116 wrote to memory of 2688	5116	Trinity Cleaner.exe	120
PID 2688 wrote to memory of 2568	2688	cmd.exe	121
PID 2688 wrote to memory of 2568	2688	cmd.exe	121
PID 5116 wrote to memory of 4660	5116	Trinity Cleaner.exe	122
PID 5116 wrote to memory of 4660	5116	Trinity Cleaner.exe	122
PID 4660 wrote to memory of 684	4660	cmd.exe	123
PID 4660 wrote to memory of 684	4660	cmd.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe"
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\ACR06A7 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\ACR06A7 /f
    3⤵
    - Modifies registry key
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\PHLC0B1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\PHLC0B1 /f
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration /f
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity /f
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\reg.exe
    reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 25431253923532148332925743159347227730047153583102312004 /f
    3⤵
    - Modifies registry key
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-25431 /f
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-25431 /f
    3⤵
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 2543125392-3532-14833-29257 /f
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random%-%random} /f
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {25431-25392-%random} /f
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 25431-25392353214833 /f
    3⤵
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 25431-25392 /f
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:644
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 25431-25392 /f
    3⤵
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 25431-25392353214833 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:60
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25431-25392-3532-1483329257} /f
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25431-25392-3532-1483329257} /f
    3⤵
    PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {25434-3372-21396-61286804} /f
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:5104
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2492
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1128
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    - Enumerates system info in registry
    PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4312
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 25434-3372-21396-61286804 /f
    3⤵
    - Enumerates system info in registry
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {25434-3372-21396-61286804} /f
    3⤵
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:252
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {25434-3372-21396-61286804} /f
    3⤵
    - Modifies registry key
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-25434 /f
    3⤵
    - Modifies registry key
    PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 25434 /f
    3⤵
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 25434 /f
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2600
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-25434 /f
    3⤵
    - Modifies registry key
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {254343372-21396-6128-68048242} /f
    3⤵
    PID:1344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2032
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {254343372-21396-6128-68048242} /f
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:544
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25434 /f
    3⤵
    - Modifies registry key
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:5008
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 25434 /f
    3⤵
    PID:240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:32
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 25434 /f
    3⤵
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:100
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 25434-3372-21396-6128 /f
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 254343372-21396-6128-6804 /f
    3⤵
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 254343372-21396-6128-6804 /f
    3⤵
    - Modifies registry key
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 254343372 /f
    3⤵
    - Modifies registry key
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:1172
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 25434 /f
    3⤵
    - Modifies registry key
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:3088
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 25434 /f
    3⤵
    - Modifies registry key
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%-%random%-%random%} /f
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {254343372-21396-6128-6804} /f
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:4224
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:3784
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:4920
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:2672
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:4808
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    - Modifies registry key
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2768
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
  2⤵
  PID:756
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
  2⤵
  PID:4028
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    - Modifies registry key
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1724
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:2620
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:4316
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:4664
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3744
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 2543714121649230191171181216815572291913030230623072712092 /f
    3⤵
    - Modifies registry class
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4552
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1256
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 25437-14121-6492-3019117118 /f
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4164
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 25440-24869-24356-2148627433 /f
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    - Modifies registry key
    PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4244
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 25440-24869-24356-2148627433 /f
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:248
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 25440-24869-24356-2148627433 /f
    3⤵
    PID:244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    - Modifies registry key
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:216
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:1604
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:352
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    - Modifies registry key
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:2452
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:2664
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:884
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 254402486924356214862743316095186842626414046296823057912136 /f
    3⤵
    - Modifies registry key
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2544024869243562148627433160951868426264140462968230579 /f
    3⤵
    - Modifies registry class
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4968
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 25440248692435621486274331609518684262641404629682 /f
    3⤵
    - Modifies registry key
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:736
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 254402486924356214862743316095186842626414046296823057912136 /f
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 254402486924356214862743316095186842626414046296823057912136 /f
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3540
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 254402486924356214862743316095186842626414046 /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry key
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 254402486924356214862743316095186842626414046 /f
    3⤵
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2244
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 254402486924356214862743316095186842626414046 /f
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:4256
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 254402486924356 /f
    3⤵
    - Modifies registry key
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 254402486924356 /f
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:684
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 254402486924356 /f
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 254402486924356 /f
    3⤵
    - Modifies registry key
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:3716
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {25440-24869-2435621486} /f
    3⤵
    - Modifies registry key
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:2344
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2768
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 254442850945312782498020022217972333630557235333043112180 /f
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-25444 /f
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-25444 /f
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%-%random% /f
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 25444-2850-9453-12782-4980 /f
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random%-%random} /f
  2⤵
  PID:3832
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {25444-2850-%random} /f
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 25444-2850945312782 /f
    3⤵
    PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:384
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 25444-2850 /f
    3⤵
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:3776
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 25444-2850 /f
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 25444-2850945312782 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2620
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25444-2850-9453-127824980} /f
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25444-2850-9453-127824980} /f
    3⤵
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:3760
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {25444-2850-9453-127824980} /f
    3⤵
    - Modifies registry key
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2800
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    - Modifies registry key
    PID:3256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:3536
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2972
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4472
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4248
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    - Enumerates system info in registry
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:3700
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 25444-2850-9453-127824980 /f
    3⤵
    - Enumerates system info in registry
    PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:544
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {25444-2850-9453-127824980} /f
    3⤵
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:5008
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {25444-2850-9453-127824980} /f
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1896
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-25444 /f
    3⤵
    - Modifies registry key
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:100
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 25444 /f
    3⤵
    - Modifies registry key
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 25444 /f
    3⤵
    - Modifies registry key
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:3812
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-25444 /f
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {254442850-9453-12782-498020022} /f
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:3304
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {254442850-9453-12782-498020022} /f
    3⤵
    - Modifies registry key
    PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25444 /f
    3⤵
    PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 25447 /f
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:5036
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 25447 /f
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:4452
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2544713598-27317-4077-15294 /f
    3⤵
    - Modifies registry key
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f
  2⤵
  PID:904
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 2544713598 /f
    3⤵
    - Modifies registry key
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:1208
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 25447 /f
    3⤵
    PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:3784
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 25447 /f
    3⤵
    - Modifies registry key
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%-%random%-%random%} /f
  2⤵
  PID:4920
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2544713598-27317-4077-15294} /f
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    - Modifies registry key
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:4808
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:3136
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:756
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:4028
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    - Modifies registry key
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2036
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1724
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:1128
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4704
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2136
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 25447-13598-27317-407715294 /f
    3⤵
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:4552
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:5112
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:3500
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:1896
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:100
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 254502434612413281402560927875280211748230812112373013512268 /f
    3⤵
    - Modifies registry class
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 25450-24346-12413-2814025609 /f
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2452
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 25450-24346-12413-2814025609 /f
    3⤵
    - Modifies registry key
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 25450-24346-12413-2814025609 /f
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:3304
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    - Modifies registry key
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:3088
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 25450-24346-12413-2814025609 /f
    3⤵
    - Modifies registry key
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 25450-24346-12413-2814025609 /f
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:4224
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    - Modifies registry key
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:1588
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:3540
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    - Modifies registry key
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:3140
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:2244
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:4256
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 254502434612413281402560927875280211748230812112373013512268 /f
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4788
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2545024346124132814025609278752802117482308121123730135 /f
    3⤵
    - Modifies registry class
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 25450243461241328140256092787528021174823081211237 /f
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 254502434612413281402560927875280211748230812112373013512268 /f
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 254502434612413281402560927875280211748230812112373013512268 /f
    3⤵
    - Modifies registry key
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2152
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 254502434612413281402560927875280211748230812 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 254502434612413281402560927875280211748230812 /f
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3200
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 254502434612413281402560927875280211748230812 /f
    3⤵
    PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2148
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 254502434612413 /f
    3⤵
    PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 25453232730277 /f
    3⤵
    PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:5072
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 25453232730277 /f
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:3208
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 25453232730277 /f
    3⤵
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:5084
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {25453-2327-3027719436} /f
    3⤵
    - Modifies registry key
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3712
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4480
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:564
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2452
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3304
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3088
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4416
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25453-23273027719436 /f
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1784
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25457-130751537310731 /f
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25457-130751537310731 /f
    3⤵
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4788
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25457-130751537310731 /f
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:4908
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:704
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:432
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:3068
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:4304
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:2620
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:4316
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:4664
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:2800
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:4248
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:3732
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:3816
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:3956
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:3120
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:4956
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:3788
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:3852
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3932
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3524
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1668
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3868
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3756
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2148
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5092
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3208
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5084
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3712
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25460-238244692026 /f
    3⤵
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4480
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25463-18041833426090 /f
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:564
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25463-18041833426090 /f
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:2516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:3840
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:4540
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:180
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:4452
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:3428
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:4448
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:1784
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:1948
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:2152
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0 /f
  2⤵
  PID:3200
- - C:\Windows\system32\reg.exe
    REG ADD HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0 /f
    3⤵
    PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:3232
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:1724
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
    3⤵
    - Enumerates system info in registry
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:1128
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    - Enumerates system info in registry
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:3752
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    - Enumerates system info in registry
    PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:252
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:3000
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:3500
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:1896
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2560
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1584
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:2664
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:3568
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:3304
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:5036
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:4060
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:4620
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:3576
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:5020
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:4444
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:4808
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:3832
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:1464
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:3068
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:4304
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:2620
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3712
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d 25470-23301212948680 /f
    3⤵
    - Enumerates system info in registry
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d 25470-23301212948680 /f
    3⤵
    - Enumerates system info in registry
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 25470-23301212948680 /f
    3⤵
    - Enumerates system info in registry
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4248
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d 25470-23301212948680 /f
    3⤵
    PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:564
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d 25470-23301212948680 /f
    3⤵
    PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2404
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5096
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3684
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4452
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3428
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4448
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5016
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2616
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3716
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2344
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3136
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4732
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5104
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2492
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3596
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25473-1281639032744 /f
    3⤵
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:5044
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3240
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3256
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1256
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:240
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25476-120302425424039 /f
    3⤵
    PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:3104
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:3196
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:4696
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2300
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2420
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:932
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1456
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 25476-12030 /f
    3⤵
    - Enumerates system info in registry
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 25476-12030 /f
    3⤵
    - Modifies registry key
    PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:4772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v HostName /t REG_SZ /d 25476-12030 /f
    3⤵
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:736
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d 25476-12030 /f
    3⤵
    - Modifies registry key
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:3616
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d 25476-12030 /f
    3⤵
    - Modifies registry key
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1208
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d 25476-12030 /f
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:4080
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d 25476-12030 /f
    3⤵
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1748
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v HostName /t REG_SZ /d 25476-12030 /f
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:5020
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d 25476-12030 /f
    3⤵
    - Modifies registry key
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2072
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d 25476-12030 /f
    3⤵
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:684
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d 25476-12030 /f
    3⤵
    - Modifies registry key
    PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d 25476-12030 /f
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3028
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4808
- - C:\Windows\system32\sc.exe
    sc delete HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&1
  2⤵
  PID:4592
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete BEService >nul 2>&1
  2⤵
  PID:2928
- - C:\Windows\system32\sc.exe
    sc delete BEService
    3⤵
    - Launches sc.exe
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&1
  2⤵
  PID:2368
- - C:\Windows\system32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete BEDaisy >nul 2>&1
  2⤵
  PID:4908
- - C:\Windows\system32\sc.exe
    sc delete BEDaisy
    3⤵
    - Launches sc.exe
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&1
  2⤵
  PID:756
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&1
  2⤵
  PID:5076
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheat >nul 2>&1
  2⤵
  PID:5072
- - C:\Windows\system32\sc.exe
    sc delete EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheatSys >nul 2>&1
  2⤵
  PID:4668
- - C:\Windows\system32\sc.exe
    sc delete EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2148
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\Capcom.sys 2>&1
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM del /f %temp%* 2>&1
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM D:\steam\depotcache\* 2>&1
  2⤵
  PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe 2>&1
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys 2>&1
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\KsDumperDriver.sys 2>&1
  2⤵
  PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\System32\Capcom.sys 2>&1
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\System32KsDumperDriver.sys 2>&1
  2⤵
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  PID:3752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
  2⤵
  PID:240
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
  2⤵
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  - Drops file in Windows directory
  PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
  2⤵
  PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
  2⤵
  PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
  2⤵
  PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
  2⤵
  PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
  2⤵
  PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
  2⤵
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
  2⤵
  PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
  2⤵
  PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
  2⤵
  PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
  2⤵
  PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
  2⤵
  PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
  2⤵
  PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
  2⤵
  PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
  2⤵
  PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
  2⤵
  PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
  2⤵
  PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
  2⤵
  PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
  2⤵
  PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
  2⤵
  PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
  2⤵
  PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Temp
  2⤵
  PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\V0100024.log
  2⤵
  PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\All Users\Microsoft\Windows\WER\Temp\WER5CC2.tmp.xml
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows.old\Users\All Users\Microsoft\Windows\WER\Temp\WER6D21.tmp.WERInternalMetadata.xml
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Temp\ecache.bin
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\CrashDumps\BACKGR~2.DMP
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\ATTRIB.EXE-58A07CAF.pf
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\AgRobust.db
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\CEPHTMLENGINE.EXE-E15640BA.pf
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\CMD.EXE-0BD30981.pf
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\CLIPUP.EXE-4C5C7B66.pf
  2⤵
  PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\D3D9TEST.EXE-1B86F3FC.pf
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\GET-GRAPHICS-OFFSETS64.EXE-2BCB2EA4.pf
  2⤵
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\GET-GRAPHICS-OFFSETS32.EXE-D4C865E3.pf
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\OBS-FFMPEG-MUX.EXE-1C01271A.pf
  2⤵
  PID:252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\OBS-FFMPEG-MUX.EXE-1C01271A.pf
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
  2⤵
  PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  - Drops file in Windows directory
  PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:3300