a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe
Size

1.2MB
MD5

c052e847fbbcc286ba6cfe299d272876
SHA1

5a67a3e94d41f5d76a714814dd780493ff98283a
SHA256

a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf
SHA512

5b5e305fef7e69504270f09a7c6bbee5c422da6eba0c136c5e6652a5526f89386a0ff3fced07887a2be3db5ecb083110216d18c57473518d68835a99bf473ea5
SSDEEP

12288:pfP1+T06EoFkEaJ5tth5zsdns7sLW/dxcUVBy:pHs6py

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

kdmapper.exe

pid process

1296 kdmapper.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

384 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1720 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1296	kdmapper.exe

pid	process
384	netsh.exe

pid	process
1720	cmd.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\INF\nettcpip.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0C0A\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0C0A\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0000\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\msdtcprf.h	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\040C\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\idxcntrs.h	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0410\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0409\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0411\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0411\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0C0A\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltbase.inf	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0410\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0000\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\tslabels.h	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\printupg.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0410\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0C0A\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0410\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0407\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\_NetworkingPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0410\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0C0A\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0409\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0C0A\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0409\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0C0A\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\fr-FR\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\nettcpip.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0411\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0407\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\dshowext.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0C0A\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\corperfmonsymbols.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\_DataOracleClientPerfCounters_shared12_neutral.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0C0A\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0409\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0C0A\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\netpacer.inf	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0000\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0411\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0411\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\bitsctr.h	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\040C\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0410\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0409\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0411\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\rspndr.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\CORPerfMonSymbols.h	cmd.exe
File opened for modification	C:\Windows\INF\wfplwf.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\netvwifimp.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0407\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0410\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0407\_SMSvcHostPerfCounters_D.ini	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Paste-26648-1078-1827314271"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Paste-26648-1078-1827314271"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Paste-2664423097409"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe

Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

560 ipconfig.exe
868 ipconfig.exe
1616 ipconfig.exe
1912 ipconfig.exe
1012 ipconfig.exe
216 ipconfig.exe
1720 ipconfig.exe
756 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1508 vssadmin.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1060 taskkill.exe
1760 taskkill.exe
1984 taskkill.exe
840 taskkill.exe
1916 taskkill.exe
1480 taskkill.exe

pid	process
560	ipconfig.exe
868	ipconfig.exe
1616	ipconfig.exe
1912	ipconfig.exe
1012	ipconfig.exe
216	ipconfig.exe
1720	ipconfig.exe
756	ipconfig.exe

pid	process
1508	vssadmin.exe

pid	process
1060	taskkill.exe
1760	taskkill.exe
1984	taskkill.exe
840	taskkill.exe
1916	taskkill.exe
1480	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 0266542257421233296301850610048123471244730374	reg.exe

Modifies registry class 5 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Interface\ClsidStore = 266511182633695566819161229235153751386223408255542332	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Installer\Dependencies\MSICache = 02665422574212332963018506100481234712447303741726025406	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1124	reg.exe
1424	reg.exe
1060	reg.exe
1560	reg.exe
220	reg.exe
1204	reg.exe
1724	reg.exe
1728	reg.exe
1124	reg.exe
1180	reg.exe
428	reg.exe
524	reg.exe
1928	reg.exe
1616	reg.exe
1664	reg.exe
1704	reg.exe
2040	reg.exe
560	reg.exe
832	reg.exe
1584	reg.exe
1360	reg.exe
204	reg.exe
1616	reg.exe
516	reg.exe
1672	reg.exe
1724	reg.exe
1012	reg.exe
1016	reg.exe
1016	reg.exe
1680	reg.exe
1688	reg.exe
428	reg.exe
1588	reg.exe
1360	reg.exe
1124	reg.exe
1584	reg.exe
1012	reg.exe
1616	reg.exe
1204	reg.exe
868	reg.exe
1688	reg.exe
760	reg.exe
832	reg.exe
652	reg.exe
1928	reg.exe
1688	reg.exe
1664	reg.exe
1704	reg.exe
868	reg.exe
1228	reg.exe
1560	reg.exe
708	reg.exe
1728	reg.exe
1648	reg.exe
652	reg.exe
524	reg.exe
220	reg.exe
1616	reg.exe
236	reg.exe
1016	reg.exe
204	reg.exe
556	reg.exe
1728	reg.exe
556	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

384 powershell.exe

pid	process
384	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	972	WMIC.exe
Token: SeSecurityPrivilege	972	WMIC.exe
Token: SeTakeOwnershipPrivilege	972	WMIC.exe
Token: SeLoadDriverPrivilege	972	WMIC.exe
Token: SeSystemProfilePrivilege	972	WMIC.exe
Token: SeSystemtimePrivilege	972	WMIC.exe
Token: SeProfSingleProcessPrivilege	972	WMIC.exe
Token: SeIncBasePriorityPrivilege	972	WMIC.exe
Token: SeCreatePagefilePrivilege	972	WMIC.exe
Token: SeBackupPrivilege	972	WMIC.exe
Token: SeRestorePrivilege	972	WMIC.exe
Token: SeShutdownPrivilege	972	WMIC.exe
Token: SeDebugPrivilege	972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	972	WMIC.exe
Token: SeRemoteShutdownPrivilege	972	WMIC.exe
Token: SeUndockPrivilege	972	WMIC.exe
Token: SeManageVolumePrivilege	972	WMIC.exe
Token: 33	972	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 1484	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1484	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1484	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1484 wrote to memory of 1060	1484	cmd.exe	taskkill.exe
PID 1484 wrote to memory of 1060	1484	cmd.exe	taskkill.exe
PID 1484 wrote to memory of 1060	1484	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 2040	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 2040	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 2040	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 2040 wrote to memory of 1760	2040	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1760	2040	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1760	2040	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 808	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 808	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 808	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 808 wrote to memory of 1984	808	cmd.exe	taskkill.exe
PID 808 wrote to memory of 1984	808	cmd.exe	taskkill.exe
PID 808 wrote to memory of 1984	808	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 1180	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1180	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1180	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1180 wrote to memory of 840	1180	cmd.exe	taskkill.exe
PID 1180 wrote to memory of 840	1180	cmd.exe	taskkill.exe
PID 1180 wrote to memory of 840	1180	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 1648	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1648	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1648	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 636	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 636	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 636	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 636 wrote to memory of 1480	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 1480	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 1480	636	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 1724	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1724	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1724	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1976	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1976	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1976	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1976 wrote to memory of 1800	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1800	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1800	1976	cmd.exe	WMIC.exe
PID 1632 wrote to memory of 1720	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1720	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1720	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1720 wrote to memory of 1296	1720	cmd.exe	kdmapper.exe
PID 1720 wrote to memory of 1296	1720	cmd.exe	kdmapper.exe
PID 1720 wrote to memory of 1296	1720	cmd.exe	kdmapper.exe
PID 1632 wrote to memory of 868	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 868	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 868	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 868 wrote to memory of 972	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 972	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 972	868	cmd.exe	WMIC.exe
PID 1632 wrote to memory of 764	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 764	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 764	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1760	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1760	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1632 wrote to memory of 1760	1632	a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe	cmd.exe
PID 1760 wrote to memory of 384	1760	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe
"C:\Users\Admin\AppData\Local\Temp\a9f52534528e7a50296b9effafdc23f6478ecad829b43c3d048be8641c0d79bf.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im RustClient.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\taskkill.exe
taskkill /f /im Origin.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im r5apex.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\taskkill.exe
taskkill /f /im r5apex.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0D
2⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:/Windows/IME/kdmapper.exe C:/Windows/IME/Spoofy.sys
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\IME\kdmapper.exe
C:/Windows/IME/kdmapper.exe C:/Windows/IME/Spoofy.sys
3⤵
- Executes dropped EXE
PID:1296

C:\Windows\system32\netsh.exe
NETSH INTERFACE TCP RESET
3⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
2⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:/Windows/IME/kernel.exe
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Reset-PhysicalDisk * >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Reset-PhysicalDisk *
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:/Windows/IME/mac.exe
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET
2⤵
PID:1136

C:\Windows\system32\netsh.exe
NETSH WINSOCK RESET
3⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INT IP RESET
2⤵
PID:1996

C:\Windows\system32\netsh.exe
NETSH INT IP RESET
3⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET
2⤵
PID:672

C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV4 RESET
3⤵
PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE
2⤵
PID:1728

C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
3⤵
- Gathers network information
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE
2⤵
PID:1060

C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
3⤵
- Gathers network information
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /RENEW
2⤵
PID:2040

C:\Windows\system32\ipconfig.exe
IPCONFIG /RENEW
3⤵
- Gathers network information
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS
2⤵
PID:1400

C:\Windows\system32\ipconfig.exe
IPCONFIG /FLUSHDNS
3⤵
- Gathers network information
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /RENEW
2⤵
PID:652

C:\Windows\system32\ipconfig.exe
IPCONFIG /RENEW
3⤵
- Gathers network information
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1
2⤵
PID:428

C:\Windows\system32\net.exe
net stop winmgmt /y
3⤵
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
4⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet >nul 2>&1
2⤵
PID:756

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:708

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:1764

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1400

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 2664423097409229762033031036301021229136072936258502244 /f
3⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
2⤵
PID:1696

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
- Checks processor information in registry
- Modifies registry key
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:792

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2664423097409229762033031036301021229136072936258502244 /f
3⤵
- Modifies registry key
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1644

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-26644 /f
3⤵
- Modifies registry key
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
2⤵
PID:1076

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste26644-23097-409-22976 /f
3⤵
- Modifies registry key
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-%random%-%random} /f
2⤵
PID:1840

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-26644-%random} /f
3⤵
- Modifies registry key
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
2⤵
PID:452

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-2664423097409 /f
3⤵
- Modifies registry key
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-%random% /f
2⤵
PID:1148

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-26644 /f
3⤵
- Modifies registry key
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-%random% /f
2⤵
PID:1760

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-26644 /f
3⤵
- Modifies registry key
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
2⤵
PID:980

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-2664423097409 /f
3⤵
- Enumerates system info in registry
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
2⤵
PID:1884

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-26644-23097-40922976} /f
3⤵
- Modifies registry key
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
2⤵
PID:948

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-26644-23097-40922976} /f
3⤵
- Modifies registry key
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
2⤵
PID:1084

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-26648-1078-1827314271} /f
3⤵
- Modifies registry key
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1556

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
- Modifies registry key
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:968

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
- Modifies registry key
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
- Modifies registry key
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:964

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:212

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-26648-1078-1827314271 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
2⤵
PID:228

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-26648-1078-1827314271} /f
3⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
2⤵
PID:1056

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-26648-1078-1827314271} /f
3⤵
- Modifies registry key
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1428

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-26648 /f
3⤵
- Modifies registry key
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
2⤵
PID:1692

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 26648 /f
3⤵
- Modifies registry key
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 26648 /f
3⤵
- Modifies registry key
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:972

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-26648 /f
3⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:1304

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste26648-1078-18273-1427130645} /f
3⤵
- Modifies registry key
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:1764

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste26648-1078-18273-1427130645} /f
3⤵
- Modifies registry key
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
2⤵
PID:1580

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 26648 /f
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
2⤵
PID:1604

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 26648 /f
3⤵
- Modifies registry key
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
2⤵
PID:1984

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 26648 /f
3⤵
- Modifies registry key
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:276

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 26648-1078-18273-14271 /f
3⤵
- Modifies registry key
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
2⤵
PID:1216

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste26648-1078-18273-14271 /f
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
2⤵
PID:464

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste26648-1078-18273-14271 /f
3⤵
PID:1228

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste%random% /f
2⤵
PID:1916

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste26648 /f
3⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
2⤵
PID:1188

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 26648 /f
3⤵
- Modifies registry key
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:984

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 26648 /f
3⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste%random%-%random%-%random%-%random%} /f
2⤵
PID:1076

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste26648-1078-18273-14271} /f
3⤵
- Modifies registry key
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:1840

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
2⤵
PID:452

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 26651-11826-3369-55668191 /f
3⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:1148

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:1760

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
- Modifies registry key
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:980

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:1664

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
- Modifies registry key
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:1084

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:1556

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:968

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
- Modifies registry key
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:964

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1056

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1428

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1692

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
2⤵
PID:972

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:1304

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:1764

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:1580

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
2⤵
PID:1984

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:276

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 266511182633695566819161229235153751386223408255542332 /f
3⤵
- Modifies registry class
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1216

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-26651-11826-33695566 /f
3⤵
- Modifies registry key
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1916

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-26654-22574-2123329630 /f
3⤵
- Modifies registry key
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:1188

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:984

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-26654-22574-2123329630 /f
3⤵
- Modifies registry key
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
2⤵
PID:1076

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-26654-22574-2123329630 /f
3⤵
- Modifies registry key
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
2⤵
PID:1840

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
3⤵
- Modifies registry key
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
2⤵
PID:452

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
3⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
2⤵
PID:1148

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
3⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1760

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History /f
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
2⤵
PID:948

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
3⤵
- Modifies registry key
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1084

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1556

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 26654225742123329630185061004812347124473037417260254062376 /f
3⤵
- Modifies registry key
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2665422574212332963018506100481234712447303741726025406 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1928

C:\Windows\system32\netsh.exe
netsh int ipv6 reset
4⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:968

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 26654225742123329630185061004812347124473037417260 /f
3⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 26654225742123329630185061004812347124473037417260254062376 /f
3⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:964

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 26654225742123329630185061004812347124473037417260254062376 /f
3⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 266542257421233296301850610048123471244730374 /f
3⤵
- Modifies Internet Explorer settings
- Modifies registry key
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 266542257421233296301850610048123471244730374 /f
3⤵
- Modifies registry key
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:228

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 266542257421233296301850610048123471244730374 /f
3⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1056

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 266542257421233 /f
3⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1428

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 266542257421233 /f
3⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1692

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 266542257421233 /f
3⤵
- Modifies registry key
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 266542257421233 /f
3⤵
- Modifies registry key
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:972

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 26654225742123329630185061004812347124473037417260254062376 /f
3⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:1304

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {26654-22574-2123329630} /f
3⤵
- Modifies registry key
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:1764

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:1580

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset
2⤵
PID:1984

C:\Windows\system32\netsh.exe
netsh winsock reset
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
2⤵
PID:1644

C:\Windows\system32\netsh.exe
netsh winsock reset catalog
3⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ip reset
2⤵
PID:1016

C:\Windows\system32\netsh.exe
netsh int ip reset
3⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset
2⤵
PID:636

C:\Windows\system32\netsh.exe
netsh advfirewall reset
3⤵
- Modifies Windows Firewall
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int reset all
2⤵
PID:1760

C:\Windows\system32\netsh.exe
netsh int reset all
3⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release
2⤵
PID:224

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew
2⤵
PID:236

C:\Windows\system32\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:692

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
2⤵
- Drops file in Windows directory
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
2⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
2⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
2⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
2⤵
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\Intel
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\INF
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\Public\Documents
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
2⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\temp
2⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
2⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Temp
2⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\Intel
2⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\INF
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\Public\Documents
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\temp
2⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
2⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Temp
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\Intel
2⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
2⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
2⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
2⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
2⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
2⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:692

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:784

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
2⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
2⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
2⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
2⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
2⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
2⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
2⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
2⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
2⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
2⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
2⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
2⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
2⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
2⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
2⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
2⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
2⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
2⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
2⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
2⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Temp
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:764

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
2⤵
- Drops file in Windows directory
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
2⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
2⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
2⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
2⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\Intel
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\INF
2⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\Public\Documents
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
2⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\temp
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Temp
2⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\Intel
2⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\INF
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\Public\Documents
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\temp
2⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Temp
2⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\Intel
2⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin
2⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
2⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
2⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
2⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
2⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
2⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
2⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
2⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
2⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
2⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
2⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
2⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
2⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
2⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
2⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
2⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\System Volume Information\IndexerVolumeGuid
2⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
2⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
2⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
2⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
2⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
2⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
2⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
2⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Temp
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
2⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo [+] Cleaning other traces (You can exit if you want).
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\MSOCache
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\MSOCache\{71230000-00E2-0000-1000-00000000}
2⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\MSOCache\{71230000-00E2-0000-1000-00000000}\Setup.dat
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\ProgramData\SystemExplorer\snapshots
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\All Users\SystemExplorer\snapshots
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\ProgramData\SystemExplorer\snapshots\2020_06_23_Unknown.ses
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\Public\Shared Files
2⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\Public\Libraries\collection.dat
2⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\All Users\SystemExplorer\snapshots\2020_06_23_Unknown.ses
2⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\0BF0DEAA8A19079E0D347735A2F512415B4D9B14
2⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\007ABEF3D1BC494C378FE9E90815B33676DCEB47
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\2A6A06259337531EA5101E9BD8818AE92450FCE4
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\2895B436A3CE70D8FCBBA971A99D7782F30E1715
2⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\2FDCB81A51CE8AA26F4BD6E7CDDD3E4152523F6A
2⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\3431F3D7B4D84C39D06C951A08612305A85C35DC
2⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\392F08F2C63619C978F2076694222ABC3054CFC4
2⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\5986EBD68E94FC890557CEA32F6CAEC6CB6F4178
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\961B1FEC1E2362CF4FD638D26E622DE659AC92E9
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\ADC2EE726BCEA3FC8D627A66C8B3CF417FD2DC42
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\B0A009BBE9168ED28F5DECDC24941B2322A8C3D5
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\B8A832221A39D663DCF615E77CD4D8C38BE3397F
2⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\C6B9936C20CBD1BAC3492CDB1C9DE3942D67C703
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\D35414CB7D187CB3CD779E2C86A7D150063C9457
2⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\D448A2D69B897D0CA64BC7EAD63C82B135B28C90
2⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\E14DAB2F57E4763BB4A8F40F08DD57DC07ADE36C
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\E99AFB51C2934AA3D72FE486EEE0EEB4B5F2D9DB
2⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\EB595625E08C501F5484D4F4FE7EB7A3D7AD7582
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\F005B0C18B5D2B42267BDF297A7FC7C62901554B
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\F127DEB22E390D0C299F3642BDF2B41D6E2A0B9C
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /a:h /a:a /d %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\PersistentDownloadDir\CMS\Files\C28FF1DE0C661DAF01E118A30B3F21B897A7A6E2\F5710FD4DE0372D0B1111F2B96C8FBE8E242BABB
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Diagnosis\EventStore.db-wal
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\AnyDesk\system.conf
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnk
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\SystemExplorer\AutoSearch.idx
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\SystemExplorer\config.ini
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.59c7b0b4-c337-4d08-b9c0-fa426979e9a5.2.etl
2⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\AnyDesk\system.conf
2⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Diagnosis\EventStore.db-wal
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnk
2⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\SystemExplorer\AutoSearch.idx
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\SystemExplorer\config.ini
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.59c7b0b4-c337-4d08-b9c0-fa426979e9a5.2.etl
2⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\713e5022c943532323bc46d7a4a302a3f7bb3ef2d91524f4.bin
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\c78a16879808119e_e61258832f8d6e72_18.bin
2⤵
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\c78a16879808119e_e61258832f8d6e72_18.idx
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache\cb00da9ba77862e\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_C580&REV_E7.idx
2⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache\cb00da9ba77862e\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_C580&REV_E7.lock
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache\cb00da9ba77862e\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_C580&REV_E7.val
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
2⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
2⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cookies
2⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\History
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\History-journal
2⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Preferences
2⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Persistent State
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Local State
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\V01.log
2⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat
2⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_C580&REV_E7.idx
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.chk
2⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.log
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_C580&REV_E7.idx
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.jfm
2⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Temp\0efa73a8-3ee8-4a56-8238-fd66041da5af.tmp
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Temp\1cc661c5-2a12-4c15-9709-7719c0d1104f.tmp
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Temp\6cb1d810-3967-492f-859c-32eb477d65b0.tmp
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Temp\c2d1be50-b570-4916-a74a-001833c49e80.tmp
2⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Temp\ec834d17-9157-48fa-9c87-0d5e11dafba0.tmp
2⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Roaming\discord\Cookies
2⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Roaming\discord\Cookies-journal
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Roaming\discord\TransportSecurity
2⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\ntuser.dat.log
2⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\ntuser.dat.log2
2⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Windows\Logs\NetSetup\service.0.etl
2⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Windows\System32\wbem\Repository\INDEX.BTR
2⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Windows\System32\wbem\Repository\MAPPING1.MAP
2⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Windows\System32\wbem\Repository\OBJECTS.dat
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\$Recycle.bin
2⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\$Recycle.bin\S-1-5-18
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\$Recycle.bin\S-1-5-21-2891436483-3527068592-4159525493-1000
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\$Recycle.bin\S-1-5-21-2891436483-3527068592-4159525493-1001
2⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\$Recycle.bin\S-1-5-21-2891436483-3527068592-4159525493-1001\$IZHXE0R.lnk
2⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\$Recycle.bin\S-1-5-21-2891436483-3527068592-4159525493-1001\$RZHXE0R.lnk
2⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\$Recycle.bin\S-1-5-21-2891436483-3527068592-4159525493-1001\desktop.ini
2⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.18362.590_b537a032149b3fc544a53a99146fb73534da_00000000_c8f94735-9873-444c-a306-8dd6954b572a
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_80004004_22c1ca83e5fa39476cd1d16271645299486b10b8_00000000_929a6e9f-49b8-4215-b682-cc00cf3e418d
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_7b704b9417a1f964ba24aef8b6e694eaa4e3f66d_00000000_c90c7df1-a072-4948-a56f-e7c8cd20598c
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Acquisition;Lang_90366fa248f7617f221c332dfce0735c7c46c23a_00000000_a7506f65-0dc8-4d50-91cb-369e12f41d9e
2⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cleaner_protecte_fcd481920fdbe9e1bc33fa37d3af173eccfa9_25b40a16_bcd81103-aa68-4b70-858e-e88e8a6a09aa\Report.wer
2⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\WER8FDB.tmp.werInternalMetadata.xml
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\WER9141.tmp.werInternalMetadata.xml
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\WERB86A.tmp.werInternalMetadata.xml
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\WERCAAA.tmp.werInternalMetadata.xml
2⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\WERBED3.tmp.werInternalMetadata.xml
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\NotificationUxBroker.3236b213-68aa-47bc-9264)-64108ecd7cec.1.etl
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\NotificationUxBroker.4630cbeb-d47f-4f81-8c2b-36a04b5af228.1.etl
2⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\NotificationUxBroker.d5ccaa76-0da2-4ca5-80fa-1bf2f8381baf.1.etl
2⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.59c7b0b4-c337-4d08-b9c0-fa426979e9a5.1.etl
2⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.67b6de68-f839-49b6-b54b-2ec0f2db220e.1.etl
2⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.d326e512-11ec-44ce-9a43-c6ccb04a48e2.1.etl
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.ef91322e-85f2-43dc-a356-738381fab3ca.1.etl
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UsoCoreWorker.4c906b02-422b-4885-8ffd-64cf55dcbd63.1.etl
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UsoCoreWorker.76bc7c90-3fed-441b-a59b-8409ad5209df.1.etl
2⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UsoCoreWorker.76bc7c90-3fed-441b-a59b-8409ad5209df.2.etl
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UsoCoreWorker.8c7fc4f8-c2b7-404e-b42d-5da3c0f99d13.1.etl
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UsoCoreWorker.a994d378-4627-4189-ba2d-8bdf7bc5bfc3.1.etl
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\System\UsoCoreWorker.e5dbe7c2-b98a-4c80-a513-a80ac87497fd.1.etl
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
2⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotificationUx.497a0dd8-11e8-46a5-9294-74baa180b1f7.1.etl
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotificationUx.6575a326-7b5e-4ed3-a22a-9cc1400e38b2.1.etl
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotificationUx.5f227995-df8a-41ea-b26c-39b09ac901d5.1.etl
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.1100a9bf-ce6b-4823-964c-d605105b3440.1.etl
2⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.17f3e9d0-47ab-4b97-8ad1-585e4810e497.1.etl
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.34bdef42-73f4-4dad-b870-d2cdc24c5e59.1.etl
2⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.36301e5d-4a82-47a1-90d4-37a3fe906028.1.etl
2⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.471d76f8-9796-40d2-b2e2-916e32bb7ff0.1.etl
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.96aa18ac-3a07-4fd9-b91e-45ae5a9a7b55.1.etl
2⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.ad298cfd-c66e-429d-a543-a03d5071d516.1.etl
2⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.b5ef1747-8295-4348-a428-698e9d9bab48.1.etl
2⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.dc5e816f-ac3c-4118-a459-52eac5ae8162.1.etl
2⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.f7a6eb35-0f66-4072-9e2f-c3396e63d00e.1.etl
2⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\ProgramData\USOShared\Logs\User\NotifyIcon.fee9dab9-a620-41ae-a8ac-8a567dc512f8.1.etl
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\ReportArchive\Critical_10.0.18362.590_b537a032149b3fc544a53a99146fb73534da_00000000_c8f94735-9873-444c-a306-8dd6954b572a
2⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\ReportArchive\NonCritical_80004004_22c1ca83e5fa39476cd1d16271645299486b10b8_00000000_929a6e9f-49b8-4215-b682-cc00cf3e418d
2⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\ReportArchive\NonCritical_Acquisition;Lang_90366fa248f7617f221c332dfce0735c7c46c23a_00000000_a7506f65-0dc8-4d50-91cb-369e12f41d9e
2⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_7b704b9417a1f964ba24aef8b6e694eaa4e3f66d_00000000_c90c7df1-a072-4948-a56f-e7c8cd20598c
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_cleaner_protecte_fcd481920fdbe9e1bc33fa37d3af173eccfa9_25b40a16_bcd81103-aa68-4b70-858e-e88e8a6a09aa\Report.wer
2⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\Temp\WER8FDB.tmp.werInternalMetadata.xml
2⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\Temp\WER9141.tmp.werInternalMetadata.xml
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\Temp\WERB86A.tmp.werInternalMetadata.xml
2⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\Temp\WERCAAA.tmp.werInternalMetadata.xml
2⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\Microsoft\Windows\WER\Temp\WERBED3.tmp.werInternalMetadata.xml
2⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\NotificationUxBroker.3236b213-68aa-47bc-9264-64108ecd7cec.1.etl
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\NotificationUxBroker.4630cbeb-d47f-4f81-8c2b-36a04b5af228.1.etl
2⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\NotificationUxBroker.d5ccaa76-0da2-4ca5-80fa-1bf2f8381baf.1.etl
2⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.59c7b0b4-c337-4d08-b9c0-fa426979e9a5.1.etl
2⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.67b6de68-f839-49b6-b54b-2ec0f2db220e.1.etl
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.d326e512-11ec-44ce-9a43-c6ccb04a48e2.1.etl
2⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.ef91322e-85f2-43dc-a356-738381fab3ca.1.etl
2⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UsoCoreWorker.4c906b02-422b-4885-8ffd-64cf55dcbd63.1.etl
2⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UsoCoreWorker.76bc7c90-3fed-441b-a59b-8409ad5209df.1.etl
2⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UsoCoreWorker.76bc7c90-3fed-441b-a59b-8409ad5209df.2.etl
2⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UsoCoreWorker.8c7fc4f8-c2b7-404e-b42d-5da3c0f99d13.1.etl
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UsoCoreWorker.a994d378-4627-4189-ba2d-8bdf7bc5bfc3.1.etl
2⤵
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\System\UsoCoreWorker.e5dbe7c2-b98a-4c80-a513-a80ac87497fd.1.etl
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\All Users\USOShared\Logs\User
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotificationUx.497a0dd8-11e8-46a5-9294-74baa180b1f7.1.etl
2⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotificationUx.5f227995-df8a-41ea-b26c-39b09ac901d5.1.etl
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotificationUx.6575a326-7b5e-4ed3-a22a-9cc1400e38b2.1.etl
2⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.1100a9bf-ce6b-4823-964c-d605105b3440.1.etl
2⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.17f3e9d0-47ab-4b97-8ad1-585e4810e497.1.etl
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.34bdef42-73f4-4dad-b870-d2cdc24c5e59.1.etl
2⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.36301e5d-4a82-47a1-90d4-37a3fe906028.1.etl
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.471d76f8-9796-40d2-b2e2-916e32bb7ff0.1.etl
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.96aa18ac-3a07-4fd9-b91e-45ae5a9a7b55.1.etl
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.ad298cfd-c66e-429d-a543-a03d5071d516.1.etl
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.b5ef1747-8295-4348-a428-698e9d9bab48.1.etl
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.dc5e816f-ac3c-4118-a459-52eac5ae8162.1.etl
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.f7a6eb35-0f66-4072-9e2f-c3396e63d00e.1.etl
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\All Users\USOShared\Logs\User\NotifyIcon.fee9dab9-a620-41ae-a8ac-8a567dc512f8.1.etl
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\cmdb.blb
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\gallery.blb
2⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\GameReport
2⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\gmdb.blb
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
2⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed\25
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed\25\NewsFeedImages
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\restreamserverlist.json
2⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\twserverlist.json
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DVR
2⤵
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DVR\6361858243035925429
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DVR\6361858243035925429\0
2⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DVR\8734853907968866203
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DVR\8734853907968866203\0
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\03fa51c89e705ca48a277c5f61004179235a33edd771be4d.bin
2⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\0a546cba296a9e68f265c3086aa07c28dd6605e3ba8893bb.bin
2⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\16352c589ce268395b7e0ca9a4f6bfa5857772834eb83082.bin
2⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\30134e9231aa4e87e72371d23d4c84d4326cb10e3daa1b6e.bin
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\7dce470adc74577df2582ed5b5a8ce35a4ebfb66e18142df.bin
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\87932ef93f496025f013319c395883d82867ade4ed449958.bin
2⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\8b580fb76064a4d2a69a53bc936a3867550d26af3eace690.bin
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\8c6a2b54a99124e892e8d2a67d26b9473564794857df0427.bin
2⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\9074b7d9148660580c6e1c66c0ff60f3114586f57e9c924b.bin
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\9110b7c65293fb625937ec3df1bfc1036122dc7a3c84288c.bin
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache\e2429c735535a36661d281e5670fd566672ec75767f667f7.bin
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\233f747ba72d112e_e61258832f8d6e72_18.bin
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\233f747ba72d112e_e61258832f8d6e72_18.idx
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\9e7193c876c6bfd9_e61258832f8d6e72_18.bin
2⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\9e7193c876c6bfd9_e61258832f8d6e72_18.idx
2⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\acb585400ae887c3_e61258832f8d6e72_18.bin
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\acb585400ae887c3_e61258832f8d6e72_18.idx
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\e1605a43ab40e170_e61258832f8d6e72_18.bin
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\GLCache\e1605a43ab40e170_e61258832f8d6e72_18.idx
2⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\OpenVR
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\OpenVR\settings
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\OpenVR\settings\settings.json
2⤵
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\0287568f6b75a8de2d21278106c373f2fd10f5ab.qmlc
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\055ab669598a85b07ca1a312b70bb2d735566235.jsc
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\05760cce83a8dfa687256693a7397a94161c7429.qmlc
2⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\0bd5cf23c1a78fdd98ccbf96a05645392c65305c.qmlc
2⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\14b0de5879e797bed4ed649bc7457ada52a71c3b.qmlc
2⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\1d6263d03294a2f9bcd55bde4f33e5de1ed9c0f2.qmlc
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\29bb0c0bf0b58d48d2c7055bcc94c1807afc5bc8.qmlc
2⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\2bad62830a1a3fa395c30b0def6305959ce00e7d.qmlc
2⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\39e558df74e490d8b2a9a7898d04ba05ba07d713.qmlc
2⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\3ecf731716e712a87e5a1497cd9982009895b0ed.qmlc
2⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\452515eb941cb7160682f3dca588491df831c58a.qmlc
2⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\4e6c64374802c0a24d026cc2f1f6576e1f2d9deb.qmlc
2⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\507b532306dc57a70dba6d385fa1db221bdc1196.qmlc
2⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\5846ecc766658c42f6899c3300227c24422c029c.qmlc
2⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\5a10e3c0d63fbbb9d532fdff7b935943e9a4180b.qmlc
2⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\659d032d7554e20815645659c4a4771ad6f28eaa.qmlc
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\667239feb931f410e4c21a0a66b1f36ea615f256.qmlc
2⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\6d7e9aa9e1f7bdef62c968f6ba5c6262feef3652.qmlc
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\6f24684d8b50193eb3cdfee634ff56f1ba4b5ffd.jsc
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\764491f39a190ce4784fe9fb5f9321d6a83a6923.qmlc
2⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\7db9dca541ca970bbde9a255a4c8ad930d661522.qmlc
2⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\7ef944aa89e49823dadcfe593aceb667d1f0ca6b.qmlc
2⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\8b421c776123b00d00c5fc368b81f68c22c3bf3a.qmlc
2⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\93f9f424943f9bc70e700cc1b13e475994baf4dc.qmlc
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\95a8b5eb4b9d209a46517148d3490ca93123bfc6.qmlc
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\9b2c821191df464a61bc66bd5026075a4b232af8.jsc
2⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\9cb98731fb29195e48040dc21ae224f0d4c3cc71.qmlc
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\a178e511f194367f96881a7f045e55580475fc41.qmlc
2⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\a24fa65f5047c8878e02c45ce342d5d69adf2067.qmlc
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\abc17aac885f87afcc5fbea22502bfa7c3e539ca.qmlc
2⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\ac4358be4e9a3cdeb4a8e1d576ec478aa216e9b9.qmlc
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\b61b2ceb9b2be7177aab396b65e75f1be5156c45.qmlc
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\bfd74a5141e51e29b3940c0f698c2755e8764fb3.qmlc
2⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\c4d8484a5bc074b78ea4656d40571c254284a480.qmlc
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\c7f5d769a1cf8c7f79053219959679b2a01cd04a.qmlc
2⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\d0ed837cb6b63600f6074e658f45046a81cce16b.qmlc
2⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\d7c9692f2b381eb260ee1d3b3bf35a5ce64ca547.qmlc
2⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\d21507d20efc9bdd144e9be39568879e5b8ab2dd.qmlc
2⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\e32adf378436174ff740b9f268a4fb98f4a5fb41.qmlc
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\d9ff1789c7bf11aa8d294ede3df00436548279aa.qmlc
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\e50e62317dd976f8872060c6060416dd3dac1b22.qmlc
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\e85ee428750b0511dee051a15583b9849dbe5386.qmlc
2⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\fded362ed867cc3f22faf60c8331c4a030442901.qmlc
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\cache\qmlcache\f353ffb44954d9d0a50ef976fad4f9df06ed65f2.qmlc
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\blob_storage
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\blob_storage\bf8f1297-2ff1-4c58-bd63-f4aa0c1561aa
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\blob_storage\c094866d-54bb-428c-8740-597c81a11fd2
2⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\GPUCache
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\GPUCache\data_0
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\GPUCache\data_1
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\GPUCache\data_2
2⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\GPUCache\data_3
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\GPUCache\index
2⤵
PID:268

C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV6 RESET
1⤵
PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1480

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
1⤵
- Modifies registry key
PID:1688

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-26644 /f
1⤵
PID:1360

C:\Windows\system32\netsh.exe
netsh int ipv4 reset
1⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8~2
Filesize
1KB

MD5
2f108e05ed741c61d7e0541f9aa2fd95

SHA1
c2c9db7404c846a94d92c296855ebb59030cb352

SHA256
429057d0b17a31f507119e93d488814ab306344c3fbc7241fe47eab54e1635b7

SHA512
6297a240374426503b30a6c1608b7555e130a425f5dfabf728eb032f4526bbdbb5745a938d4c7d62cba4a7a49a91b1ec88f25d2759f701e10e5418194c94e277

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67F~1
Filesize
279B

MD5
87453b0b9fa1060323460ead9cc744f4

SHA1
d788a081f14239da77a18749706e1dfe4039a27b

SHA256
6392b0d99f1d42d3365c7db475271bece9e742f68d41bbfc22e25811134b6a59

SHA512
2858d97477fa3390206b7fc1c1d1a9cddc5f02e61fd412edca71a6fb55934a8b1cce35e3f1aaf6603b0544966ad4ebdbe1988aae5e447ccfcd0dc5a9e051f20f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B8~1
Filesize
471B

MD5
b269d74cfe043828baa092a242f9aa66

SHA1
75002c778a2a2784940ed9d097014279858f172c

SHA256
044dd36c37639c3542247810e70a716cab619a5c09d5088dd32c922684a01c0f

SHA512
5f7aba278abc1937857ab923208600b33f1f6b555d747f45ad496a464eec6a41155b0f8e507599c1ff9a4108a3b21f8052b9cde900644f9cd272b9a6d96523de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8~2
Filesize
438B

MD5
fcb841f4e7cb6a718e1ed7a97ae5bfea

SHA1
b80b188557cbd3af7ca258ce6737a0a226dea412

SHA256
db76c85ae7930bb40fe49c531e6a80d2b81c2f2c8293a1bf619d0d3c9b4aad6c

SHA512
37b2bee0aa00c5eed8270e078a1ac99c86456b1c353109dbece4b3a78b5ae5f8914e2fe1a6c682876ea4883cde35dcb456ee956e136fe6743388b0b5c48cd96e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\943080~1
Filesize
340B

MD5
4a759ccf76437f9daa399c78bec9cf44

SHA1
dc4bebd87b322c9192d4cf4c8e925913c78f4d7c

SHA256
3d3bc159c6e9adc2a8c5ff622a9d2df356460820d43e726675199b9767ba446c

SHA512
24b4db59fb5f960874b3cfe2085f501d71788f27728792c3f2010f3471125d19de1c607f9df8ec94c29b85dae2067c57d870c5d88d80367f69a707052a5829ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67F~1
Filesize
430B

MD5
cd14582654946a45b5738572c4003f3d

SHA1
60ad705172e9e704d99ea3daddcf4386ded469ae

SHA256
f5ce6627302bb2080f0a7a7e3bda8ef5e51528ee1899e3d9ae906a8e6e44c88d

SHA512
cbfd87a0bb68f0e985060a6c170bcb85622fb74319dc89581f27aa0715aad495c6f82cbff34c0ba25d05eca1a5a0cd8d6ff278d2684846ff47554f9e3fd425c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B8~1
Filesize
400B

MD5
9d11f2a722235cbc80bd4000ae1a85cb

SHA1
147d46a674bbc614387a0038f465e7890cf67062

SHA256
8c8804f6a848df49ad86b13db5100bc5e9733247468bce700cff197da5231f44

SHA512
d237e90bc53352f82a51c574b8f9ae680a5c1fd433e365183153486f55a3ef92a880f2fc9af6e2d2cb123b8e1008a3a7192042fda5f95ccc81ae9c26e4c37b6e

Download Submit
C:\Windows\IME\kdmapper.exe
Filesize
454KB

MD5
b954b605163a06bcd5ba4cf8f9cc4e03

SHA1
3cce640a2a71cb3b004256e23ad27eae63554498

SHA256
3b00d34ae7cd43fbd70d9bd8a15ffd7e432af77db6f76e8763573bbdda8f112b

SHA512
bfb4173de17e4fd6f843be18e7c799643883d6ea81e015e109da05f7c09709a8c0f8cb05ca4b0ffca8c448da947cc14a94f7acbd9b1d15e3a3c995cc806aaf39

Download Submit
\Windows\IME\kdmapper.exe
Filesize
454KB

MD5
b954b605163a06bcd5ba4cf8f9cc4e03

SHA1
3cce640a2a71cb3b004256e23ad27eae63554498

SHA256
3b00d34ae7cd43fbd70d9bd8a15ffd7e432af77db6f76e8763573bbdda8f112b

SHA512
bfb4173de17e4fd6f843be18e7c799643883d6ea81e015e109da05f7c09709a8c0f8cb05ca4b0ffca8c448da947cc14a94f7acbd9b1d15e3a3c995cc806aaf39

Download Submit
memory/268-128-0x0000000000000000-mapping.dmp

Download
memory/384-84-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/384-85-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/384-79-0x0000000000000000-mapping.dmp

Download
memory/384-87-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/384-83-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/384-82-0x000007FEF3800000-0x000007FEF435D000-memory.dmp

Filesize
11.4MB

Download
memory/384-81-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/384-86-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/428-114-0x0000000000000000-mapping.dmp

Download
memory/516-132-0x0000000000000000-mapping.dmp

Download
memory/524-99-0x0000000000000000-mapping.dmp

Download
memory/560-105-0x0000000000000000-mapping.dmp

Download
memory/596-96-0x0000000000000000-mapping.dmp

Download
memory/636-65-0x0000000000000000-mapping.dmp

Download
memory/652-112-0x0000000000000000-mapping.dmp

Download
memory/672-95-0x0000000000000000-mapping.dmp

Download
memory/708-121-0x0000000000000000-mapping.dmp

Download
memory/756-117-0x0000000000000000-mapping.dmp

Download
memory/764-77-0x0000000000000000-mapping.dmp

Download
memory/792-131-0x0000000000000000-mapping.dmp

Download
memory/808-59-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x0000000000000000-mapping.dmp

Download
memory/868-75-0x0000000000000000-mapping.dmp

Download
memory/868-107-0x0000000000000000-mapping.dmp

Download
memory/972-122-0x0000000000000000-mapping.dmp

Download
memory/972-76-0x0000000000000000-mapping.dmp

Download
memory/1012-113-0x0000000000000000-mapping.dmp

Download
memory/1060-106-0x0000000000000000-mapping.dmp

Download
memory/1060-56-0x0000000000000000-mapping.dmp

Download
memory/1136-89-0x0000000000000000-mapping.dmp

Download
memory/1180-61-0x0000000000000000-mapping.dmp

Download
memory/1180-130-0x0000000000000000-mapping.dmp

Download
memory/1212-90-0x0000000000000000-mapping.dmp

Download
memory/1296-72-0x0000000000000000-mapping.dmp

Download
memory/1296-74-0x000000013FDC0000-0x000000013FE58000-memory.dmp

Filesize
608KB

Download
memory/1400-110-0x0000000000000000-mapping.dmp

Download
memory/1400-127-0x0000000000000000-mapping.dmp

Download
memory/1468-119-0x0000000000000000-mapping.dmp

Download
memory/1480-66-0x0000000000000000-mapping.dmp

Download
memory/1480-93-0x0000000000000000-mapping.dmp

Download
memory/1484-55-0x0000000000000000-mapping.dmp

Download
memory/1508-118-0x0000000000000000-mapping.dmp

Download
memory/1560-116-0x0000000000000000-mapping.dmp

Download
memory/1560-88-0x0000000000000000-mapping.dmp

Download
memory/1580-125-0x0000000000000000-mapping.dmp

Download
memory/1588-102-0x0000000000000000-mapping.dmp

Download
memory/1616-124-0x0000000000000000-mapping.dmp

Download
memory/1616-109-0x0000000000000000-mapping.dmp

Download
memory/1628-98-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1644-133-0x0000000000000000-mapping.dmp

Download
memory/1648-63-0x0000000000000000-mapping.dmp

Download
memory/1648-134-0x0000000000000000-mapping.dmp

Download
memory/1688-126-0x0000000000000000-mapping.dmp

Download
memory/1696-129-0x0000000000000000-mapping.dmp

Download
memory/1720-70-0x0000000000000000-mapping.dmp

Download
memory/1720-101-0x0000000000000000-mapping.dmp

Download
memory/1724-67-0x0000000000000000-mapping.dmp

Download
memory/1728-104-0x0000000000000000-mapping.dmp

Download
memory/1728-120-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x0000000000000000-mapping.dmp

Download
memory/1760-115-0x0000000000000000-mapping.dmp

Download
memory/1760-58-0x0000000000000000-mapping.dmp

Download
memory/1764-123-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1912-111-0x0000000000000000-mapping.dmp

Download
memory/1916-64-0x0000000000000000-mapping.dmp

Download
memory/1976-68-0x0000000000000000-mapping.dmp

Download
memory/1984-60-0x0000000000000000-mapping.dmp

Download
memory/1996-92-0x0000000000000000-mapping.dmp

Download
memory/2040-108-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download