f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
14s
max time network
40s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/NXTcleaner.exe
Size

3.2MB
MD5

644399a0aff07bd4f7dc1eb5aa5c0236
SHA1

243f1f7bb95af8d3c44a270772f408c6febb06af
SHA256

5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758
SHA512

73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508
SSDEEP

49152:MVmDUcyg2ImpoHJSt6Ia+CZEV2o8vMT3/nwlU5igpWV7JEW8np2Klad4j0Vs:MsgcypOSUI+qmJo+QZladTV

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\INF\WINDOW~1.0\0000\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0000\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\netavpna.inf	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0000\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\sceregvl.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0411\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0C0A\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0410\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0411\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\0409\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0411\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0410\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0407\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0000\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\netbrdgm.inf	cmd.exe
File opened for modification	C:\Windows\INF\netbrdgs.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0C0A\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0407\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\netpacer.inf	cmd.exe
File opened for modification	C:\Windows\INF\BITS\bitsctr.h	cmd.exe
File opened for modification	C:\Windows\INF\es-ES\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0411\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0410\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0411\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0409\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0410\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\lltdio.inf	cmd.exe
File opened for modification	C:\Windows\INF\nettcpip.inf	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\rasctrnm.h	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0C0A\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0409\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\netpgm.inf	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\040C\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\040C\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0411\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0000\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\040C\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0407\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0C0A\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0000\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\fontsetup.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0410\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0409\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0000\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\en-US\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\040C\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\040C\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0409\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0407\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\CORPerfMonSymbols.h	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0410\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\netvwififlt.inf	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0411\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0410\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\dwup.inf	cmd.exe
File opened for modification	C:\Windows\INF\ja-JP\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0000\ReadyBoostPerfCounters.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1508 taskkill.exe
956 taskkill.exe
892 taskkill.exe

pid	process
1508	taskkill.exe
956	taskkill.exe
892	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E8CE2C1-C875-11ED-810E-724BB54F6CA2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 9 IoCs

Processes:

NXTcleaner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\URL Protocol	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\DefaultIcon	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\shell\open	NXTcleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meta Unban\\Cleaners\\NXTcleaner.exe"	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864	NXTcleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\ = "URL:Run game 812970075899428864 protocol"	NXTcleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meta Unban\\Cleaners\\NXTcleaner.exe"	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\shell\open\command	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\discord-812970075899428864\shell	NXTcleaner.exe

Modifies registry key 1 TTPs 49 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2952	reg.exe
2256	reg.exe
2108	reg.exe
1808	reg.exe
2596	reg.exe
2396	reg.exe
2084	reg.exe
2412	reg.exe
2756	reg.exe
2556	reg.exe
2220	reg.exe
2192	reg.exe
3016	reg.exe
2328	reg.exe
2960	reg.exe
2832	reg.exe
2848	reg.exe
2788	reg.exe
2348	reg.exe
2128	reg.exe
2344	reg.exe
2388	reg.exe
2200	reg.exe
2796	reg.exe
2972	reg.exe
2064	reg.exe
2028	reg.exe
2524	reg.exe
2456	reg.exe
2516	reg.exe
2976	reg.exe
2344	reg.exe
2360	reg.exe
1656	reg.exe
2396	reg.exe
1512	reg.exe
2176	reg.exe
2604	reg.exe
3044	reg.exe
1512	reg.exe
2892	reg.exe
2968	reg.exe
2748	reg.exe
3028	reg.exe
596	reg.exe
2736	reg.exe
2484	reg.exe
2812	reg.exe
2272	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cmd.execmd.execmd.exe

description pid process

Token: SeDebugPrivilege 956 cmd.exe
Token: SeDebugPrivilege 892 cmd.exe
Token: SeDebugPrivilege 1508 cmd.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1336 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1336 iexplore.exe
1336 iexplore.exe
1436 IEXPLORE.EXE
1436 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	956	cmd.exe
Token: SeDebugPrivilege	892	cmd.exe
Token: SeDebugPrivilege	1508	cmd.exe

pid	process
1336	iexplore.exe

pid	process
1336	iexplore.exe
1336	iexplore.exe
1436	IEXPLORE.EXE
1436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NXTcleaner.execmd.execmd.execonhost.exeiexplore.exe

description	pid	process	target process
PID 1560 wrote to memory of 552	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 552	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 552	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 768	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 768	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 768	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 772	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 772	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 772	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 592	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 592	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 592	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 432	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 432	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 432	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1816	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1816	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1816	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1392	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1392	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1392	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1948	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1948	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1948	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1944	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1944	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1944	1560	NXTcleaner.exe	cmd.exe
PID 1944 wrote to memory of 1336	1944	cmd.exe	iexplore.exe
PID 1944 wrote to memory of 1336	1944	cmd.exe	iexplore.exe
PID 1944 wrote to memory of 1336	1944	cmd.exe	iexplore.exe
PID 1560 wrote to memory of 1260	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1260	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1260	1560	NXTcleaner.exe	cmd.exe
PID 1260 wrote to memory of 956	1260	cmd.exe	taskkill.exe
PID 1260 wrote to memory of 956	1260	cmd.exe	taskkill.exe
PID 1260 wrote to memory of 956	1260	cmd.exe	taskkill.exe
PID 1560 wrote to memory of 1756	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1756	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1756	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 240	1560	NXTcleaner.exe	conhost.exe
PID 1560 wrote to memory of 240	1560	NXTcleaner.exe	conhost.exe
PID 1560 wrote to memory of 240	1560	NXTcleaner.exe	conhost.exe
PID 1560 wrote to memory of 1592	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1592	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1592	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1120	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1120	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1120	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 680	1560	NXTcleaner.exe	conhost.exe
PID 1560 wrote to memory of 680	1560	NXTcleaner.exe	conhost.exe
PID 1560 wrote to memory of 680	1560	NXTcleaner.exe	conhost.exe
PID 680 wrote to memory of 1508	680	conhost.exe	cmd.exe
PID 680 wrote to memory of 1508	680	conhost.exe	cmd.exe
PID 680 wrote to memory of 1508	680	conhost.exe	cmd.exe
PID 1560 wrote to memory of 772	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 772	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 772	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1768	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1768	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 1768	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 888	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 888	1560	NXTcleaner.exe	cmd.exe
PID 1560 wrote to memory of 888	1560	NXTcleaner.exe	cmd.exe
PID 1336 wrote to memory of 1436	1336	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\NXTcleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\NXTcleaner.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
2⤵
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
2⤵
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://nxt.lol/
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://nxt.lol/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
PID:956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
PID:240

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:1592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
PID:680

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
2⤵
PID:888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:1108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:1656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
2⤵
PID:768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
2⤵
PID:600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:1736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
2⤵
PID:316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
2⤵
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
2⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
2⤵
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
2⤵
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:1492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
2⤵
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
2⤵
PID:548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:1512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
2⤵
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
2⤵
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
2⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
2⤵
PID:1592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
2⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
2⤵
PID:240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
2⤵
PID:524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
2⤵
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
2⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
2⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
2⤵
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
2⤵
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
2⤵
PID:956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
2⤵
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
2⤵
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
2⤵
PID:1656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
2⤵
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
2⤵
PID:1108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
2⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
2⤵
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
2⤵
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
2⤵
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
2⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
2⤵
PID:1028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
2⤵
PID:1360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
2⤵
PID:2560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
2⤵
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
2⤵
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
2⤵
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
2⤵
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
2⤵
PID:2872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:2584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:2620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:2192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
2⤵
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:1028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:2468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:2632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
2⤵
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:2840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:2892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:2804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
2⤵
PID:2240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
2⤵
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
2⤵
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:2484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:2480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:2656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
2⤵
PID:2944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:2092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:1512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:2164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:2376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
2⤵
PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
2⤵
PID:2572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
2⤵
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
2⤵
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
2⤵
PID:2484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
2⤵
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:2592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
2⤵
PID:2560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
2⤵
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:2760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
2⤵
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:2408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
2⤵
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
2⤵
PID:2940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
2⤵
PID:2960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
2⤵
PID:2900

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
3⤵
- Modifies registry key
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
2⤵
PID:2748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
2⤵
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2556

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 10815202247133250481238012515170952975191321661366821718 /f
3⤵
- Modifies registry key
PID:596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
2⤵
PID:2068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
2⤵
PID:1728

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
- Modifies registry key
PID:2192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
2⤵
PID:2184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
2⤵
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1036

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 108193097224998163442269516442202084828761046552021762 /f
3⤵
- Modifies registry key
PID:3016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
2⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1152

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-10819 /f
3⤵
- Modifies registry key
PID:1656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
2⤵
PID:2052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:2680

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-10819 /f
3⤵
- Modifies registry key
PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
2⤵
PID:528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:2376

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 10819-30972-24998-16344 /f
3⤵
- Modifies registry key
PID:2344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
2⤵
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f
2⤵
PID:2156

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {10819-%random} /f
3⤵
- Modifies registry key
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
2⤵
PID:2460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
2⤵
PID:2872

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 108193097224998 /f
3⤵
- Modifies registry key
PID:2388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
2⤵
PID:2436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f
2⤵
PID:2372

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 10819 /f
3⤵
- Modifies registry key
PID:2604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
2⤵
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:2488

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 10819 /f
3⤵
- Modifies registry key
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:2720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
2⤵
PID:2204

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 108193097224998 /f
3⤵
- Modifies registry key
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
2⤵
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:2444

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {10819-30972-2499816344} /f
3⤵
- Modifies registry key
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
2⤵
PID:2144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:2692

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {10819-30972-2499816344} /f
3⤵
- Modifies registry key
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
2⤵
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:3000

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {10819-30972-2499816344} /f
3⤵
- Modifies registry key
PID:2960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:3004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:1356

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 10819-30972-2499816344 /f
3⤵
- Modifies registry key
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:3056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:2808

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 10819-30972-2499816344 /f
3⤵
- Modifies registry key
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
2⤵
PID:2260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:592

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 10822-8953-100947639 /f
3⤵
- Modifies registry key
PID:1512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3028

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 10822-8953-100947639 /f
3⤵
- Modifies registry key
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
2⤵
PID:2624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:2704

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 10822-8953-100947639 /f
3⤵
- Modifies registry key
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
2⤵
PID:272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:2108

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 10822-8953-100947639 /f
3⤵
- Modifies registry key
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
2⤵
PID:2684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3048

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 10822-8953-100947639 /f
3⤵
- Modifies registry key
PID:3044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
2⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:2804

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {10822-8953-100947639} /f
3⤵
- Modifies registry key
PID:2412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:2680

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {10822-8953-100947639} /f
3⤵
- Modifies registry key
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
2⤵
PID:2356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:2376

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-10822 /f
3⤵
- Modifies registry key
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
2⤵
PID:2532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
2⤵
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
2⤵
PID:2860

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 10822 /f
3⤵
- Modifies registry key
PID:2484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:2492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
2⤵
PID:2476

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 10822 /f
3⤵
- Modifies registry key
PID:2524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:2716

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-10822 /f
3⤵
- Modifies registry key
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:2820

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {10825-19701-27958-3170210556} /f
3⤵
- Modifies registry key
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:2152

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {10825-19701-27958-3170210556} /f
3⤵
- Modifies registry key
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
2⤵
PID:2576

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 10825 /f
3⤵
- Modifies registry key
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
2⤵
PID:2368

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 10825 /f
3⤵
- Modifies registry key
PID:2756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
2⤵
PID:2364

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 10825 /f
3⤵
- Modifies registry key
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:2984

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 10825-19701-27958-31702 /f
3⤵
- Modifies registry key
PID:2892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:2840

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 10829-30449-13054-22998 /f
3⤵
- Modifies registry key
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:3000

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 10829-30449-13054-22998 /f
3⤵
- Modifies registry key
PID:2968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
2⤵
PID:2060

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 10829 /f
3⤵
- Modifies registry key
PID:2748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
2⤵
PID:1816

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 10829 /f
3⤵
- Modifies registry key
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:1688

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 10829 /f
3⤵
- Modifies registry key
PID:2556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
2⤵
PID:2080

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {10829-30449-13054-22998} /f
3⤵
- Modifies registry key
PID:1512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:592

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
- Modifies registry key
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
2⤵
PID:2284

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 10832-8430-30918-1429331185 /f
3⤵
- Modifies registry key
PID:3028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:2208

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:2116

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
- Modifies registry key
PID:2128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:2264

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:2920

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:1348

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:2272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:2328

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:2740

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:2344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:2276

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2091004988-65972661414052419511412212643-1995115609-657569698-950678344227402230"
1⤵
PID:240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "98416386-10311701683500505171118953525354573632-20245107541401708068-1777717405"
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "902973564349745775888566976384066133966077590-97378913-1867630462-352331007"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1252974061567739234931913329-220892555165206087297076218694503473-2052094891"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "756561765-11809713161427128420-20212254801594099602-607788400876850901-14729663"
1⤵
PID:960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1644779149-1147980469-15983295211935322175444832522-457125128-14831875551360322219"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1839049673-683213821-10958824171338565954-2033996150-1025885135680098359-549115300"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1161587781-386877103-1845246262-1573445481-1580761186423178826-16304268961430974154"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2108367770-104220967-20841317861368886158-861093735781102434-353508269635984936"
1⤵
PID:432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1517633983-786254574-145053325089575638113237765726089045821057479038-2103725980"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-128656778-6546821291052006027861121625-1215753621-1295970445-198828238-1999296260"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181976831-1825696177-1544482971521332066-178527034-538956017-295377464658065413"
1⤵
PID:1052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1772022935-1255477001-171752040253780134-8241336501027636802-17469170841010749458"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8041781148519668232644704391722215989-57660781818242578211902745570-622989462"
1⤵
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "793411198583171531-2455137111877144927-18973892711643563779-151753885-1682029420"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1018524656349745580-1053636421-1425027012-886238031-241130964-2012701200-123498731"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17411693141819602672-529743358803106571351050074-2118438911-17271558311706137"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1546779021-2106076171-1653950947109954115913392650321385438281-889672685-1137912537"
1⤵
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12113945646459876320076633121478620898-7435834331273572280-1800837789-350679703"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8895514411420954256862218376-1670257604-4136930545275395172135050682617088851"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1985224361683484730-11254056491193455839-24070554113471850396831442991019454321"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1136171751437503515-425777849-178320614011547120771620426613754559911098715453"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1006669751-1732433920532474351517623404-658132304-11192335101022701799-69269456"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8176423311262497676-467783042824151461062171148-19490248181801318489-1126339546"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-966233447-2036992781530916400807294349-1819673649-701295270-384610605-1883869019"
1⤵
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E02~1
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621~1
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96~1
Filesize
1KB

MD5
d6127c0439455f233e70f7186896f0b4

SHA1
afef663e4b6b69f2c845ca014ac5187b4680d91b

SHA256
fc5eb064c3d6689ea82bc0ad305d9174a66deab149713e9a5cf15300fcba07f0

SHA512
e4871c468416a5e203d4de027536d6cc60c395923715f7c258f0fb99ea8487f279b38077cf3b909b4ca4533f067f3a7cd2d339cad1417c20db19852e40754649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8
Filesize
1KB

MD5
9347c37ea5acf5947cf12ecf85c188dc

SHA1
e6e7ee54afbf0bd1dc7db1048998d7bdef266604

SHA256
dd5b61fe901b6ab2651f5e1bf76a1cea0c55139525dd7c8ccd1065f366bbecf1

SHA512
16f9953835062ff94d411188743887556fdbcec8aa479dc3b884b1abd2225570e7d219b73e1d3fb7c4cb51ff0ac17477fa17564c9ef200d5f705a23bc99150be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58~1
Filesize
1KB

MD5
9347c37ea5acf5947cf12ecf85c188dc

SHA1
e6e7ee54afbf0bd1dc7db1048998d7bdef266604

SHA256
dd5b61fe901b6ab2651f5e1bf76a1cea0c55139525dd7c8ccd1065f366bbecf1

SHA512
16f9953835062ff94d411188743887556fdbcec8aa479dc3b884b1abd2225570e7d219b73e1d3fb7c4cb51ff0ac17477fa17564c9ef200d5f705a23bc99150be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58~2
Filesize
1KB

MD5
98e911b5c3a661734456c322c0a0e700

SHA1
afa5c83a9d8dd792f5610a1e6a6537fcd9055687

SHA256
028267a042bbb6a419190210ca05f5f04b2cdb0394da9d17423410badda84849

SHA512
98ea8a7bbd64163bef310995864f9c7c0d521fb9c7f77c1b28c190611f2bf93058bb67a8c546d739277d666ae5e0dc6df5e35bc320d060823b8e2c9d217b62c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE2~1
Filesize
1KB

MD5
33061bc7bd2a9eba2765dbeac0c8222c

SHA1
5332aaddbec4cbc90d07376c3f960aea002f32b3

SHA256
69a1475f9292010e6d7b90f8dfcf8c07625e5ae530cfe3476630d4afb332ce70

SHA512
09549da1f9646df41dbb1514118c42e52c735065f9fd8d601e2620b9bccea5d0f981b5e29320c014c6264bdd798cd278dea106e4278d39d8433aca4ac05e7b31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\943080~1
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
60f78053c151a7fb3ce3c1e2f247f963

SHA1
a090592930bc1adbd3b3dbed9130289dc4233f17

SHA256
be58a10111b4a808e6d67364a55dccb7458d63ff26ea8ddabd06ba8674fff126

SHA512
d9d0a62c65d181c64d7fa5142b7f8aa1a5369a3ddfb7daf688b780cc88630a81921dcdbf7cc2e5d796f136f71190e671aa8e86d9a7967667c48d8d96f94decd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240~1
Filesize
1KB

MD5
60f78053c151a7fb3ce3c1e2f247f963

SHA1
a090592930bc1adbd3b3dbed9130289dc4233f17

SHA256
be58a10111b4a808e6d67364a55dccb7458d63ff26ea8ddabd06ba8674fff126

SHA512
d9d0a62c65d181c64d7fa5142b7f8aa1a5369a3ddfb7daf688b780cc88630a81921dcdbf7cc2e5d796f136f71190e671aa8e86d9a7967667c48d8d96f94decd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
a0d886e95b82bb48f8753efb14ed976d

SHA1
6e2dbba309c16c542e919af06797459722a3324e

SHA256
d98337e8fa7b25c30155011806c40e36b92219eca6601bffa47da49fd209e8c1

SHA512
ffb728fe536707a5802deb7f754d794694fb3c1f7563dc578b11a7282255677892ca36ab4cad52afa88cf68822115df1c5b132324b9213b10ddd2454842193bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725~1
Filesize
1KB

MD5
a0d886e95b82bb48f8753efb14ed976d

SHA1
6e2dbba309c16c542e919af06797459722a3324e

SHA256
d98337e8fa7b25c30155011806c40e36b92219eca6601bffa47da49fd209e8c1

SHA512
ffb728fe536707a5802deb7f754d794694fb3c1f7563dc578b11a7282255677892ca36ab4cad52afa88cf68822115df1c5b132324b9213b10ddd2454842193bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602~1
Filesize
1KB

MD5
af07aad9510bf32aec123b6f437f8b3e

SHA1
d8d11d35917c186e722a63bf190fe0e9a0af7939

SHA256
823843f04855b2c45d8a01f275f82c0a006f32437d983bb026c213d0e8b02efd

SHA512
6dd7769279438ee601f28bf53cd9ea04e45096de11514cd44113060c5dc48f7da96ecaa72e08a1458ed1b8afbc0f22ac422ee10cbe8e361ea6488e5e8be05d2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF470~1
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C5~1
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE9~1
Filesize
472B

MD5
f86da0dd278dab61512989673262b7b7

SHA1
0a9e07a3e3001b0fd895cd6be56f4b6929048e7b

SHA256
ac48a2d4cff37e533bcead879c78d3a6f937e6c07fe2aa71a7d0aa4cc5181752

SHA512
20d04d47dc7ad5b0fe704b2c052d3cd614bf751f83d777926b9485fe75dc6ed1c45e94af9160ab31ce1b2c673f96246508612383a4f67baa8971d16dee14377d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644~1
Filesize
471B

MD5
d8076782b7586aea6d69480d5434652e

SHA1
6bd6f10f27f62711c6783bc8b5ea72cb74622e2f

SHA256
ab660e165b0044aa0ca16ab2a42ac38a1922a24a6ae6e879d4e3e1e9c19822c2

SHA512
b21c5da5e9284aaca10e8e92e21b835130ffa623655d8e241647c72f992229fc3fd19d8763b4ddc4e9a2dbc0ea63fbdfa39c24b2f056f6d01c32f0c78dd787b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF~1
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD~1
Filesize
472B

MD5
3e968c0f4319273e79821cbabf3bdbdc

SHA1
99f1127052594878d49370fdcc61b1e4fbb69e61

SHA256
82ea5f81bec224fa88a6b83c50481d819586b5de2fbb435d522d24ce1250b6cb

SHA512
41a081193011f36fe4c9c4d04828f757a51ff2252e82575e19239e5604b159c6f42e8fbdefbbf84f5981026826a63008984c7d9c7a8c0374a1c1f83cd2577d0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
2da66522dad05f37f67c9f6f0bbfdb35

SHA1
cc013352c6e400e67384942a2a9045d3026d5c08

SHA256
02e13ea147a34916d9ea406b0509e2bc014ae0514ac2663fa5930c621810e66c

SHA512
c1206e8b033609b5676253e2efa284978c6467a5524138dbaeaab3ac7f19199b60092bc9d7926e074cf32323dd9f341d5b51945030a3676e152da916c0593b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
c094fdb058d6dea9bcc36b31c478a620

SHA1
4009418c2aac92b806deeb06947a59114df25687

SHA256
bcfaf5432ee619d3ca2009dc84a72326d51bb36b672d4ecdfa63532f45703d29

SHA512
b649848a6fb748ddb44fee6d71bd2d486e625c2130a2e89d715456a7c9979d1f7f11782c0c5a859da31c4ec45e14b909c29aee465c55a665724662e0d6d28147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E02~1
Filesize
230B

MD5
c094fdb058d6dea9bcc36b31c478a620

SHA1
4009418c2aac92b806deeb06947a59114df25687

SHA256
bcfaf5432ee619d3ca2009dc84a72326d51bb36b672d4ecdfa63532f45703d29

SHA512
b649848a6fb748ddb44fee6d71bd2d486e625c2130a2e89d715456a7c9979d1f7f11782c0c5a859da31c4ec45e14b909c29aee465c55a665724662e0d6d28147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621~1
Filesize
192B

MD5
a5372cd4b0452d34631440407b5481a1

SHA1
c79afbe580b0287b2349d7263dac3ccca08c650b

SHA256
fb2665d5a8820dad8b34d24322a5e990b284ef70e7b00199ee0d8f1b0865dd24

SHA512
220927e86f0b506ab8d00b9adc6165135720c7678601b57fc8a9a5bbf99350e46dba74fb265491c0a4ab21147b43e9b68a401eca6d54bcd040ea059b4e544ec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96~1
Filesize
410B

MD5
e683f6f4c1a43244c60f769f1b4d3e46

SHA1
c902218a6f9fd443a46a3d3737cd3dfa9c4bda73

SHA256
19cc09cff85dc2fbb963b849af79b9f4fb1d9a736cdc35c6b4c49dafa2470fca

SHA512
d12036015fdcf0b83eb6ee1559df5781b3dc3c8ed7d14f41417bf529af8649a1f344cfc94cbfad9bc1d59cf303fa84b215eaf180f1f67383714f260536fb50e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58~1
Filesize
438B

MD5
9f5f4d50bac3d3df8a5edb0aeec3afab

SHA1
22c9abf098ba626886691adc0b8e1cec2ece33cb

SHA256
fb7627f593b610ddcd93baf7cb4dcc4ff189a64c471f9a82b98ddc8393352016

SHA512
ad76e18abbe33ea9b5ef23be9637101dcba1211f2c8eebf19f0d4f5e3d0dce7c118dd80273c3c0871d0e015916b302ae2530b076001122636c8ff847e96deeb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58~2
Filesize
434B

MD5
2992986f16709ca1f56a468a8ccca5b1

SHA1
534e23ba5fd80294224db81ee0d32b8b3b47c162

SHA256
0f4cb0eb1dd8154020ec90cf51e6751c416ec82efa95451763726406cd65a165

SHA512
9983a934706d1d53f6d1062747283ebdb8d1321ca17f0886c7dda28322e6e15c85b85530989eeede7e23e6dc6c66c8fdcdc19ebcd2736b85a97190fc23cedea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE2~1
Filesize
466B

MD5
fc164f84185ce27c29db41165ab7baa7

SHA1
6ac73181b6b1eb27f87306245c92ac134fc7da93

SHA256
c4613b34623f0e697c419a68d5d0cac82e5016b80e586d56bf98f502345eb2ce

SHA512
43f99ac1321fd96cee8fe96741a563ea510004465283ded6e0a02e025b5fab6a4d4e7e28ebfb8348aaedc1d814482914a9140443146a93813b8777e4837c2c94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1d0fb4e5da4042fd918654096115badf

SHA1
5b2c52e64bcdc825abb76cb5acb3a04da3bff9ba

SHA256
264af622ce6cb9c82fb030e7690dd4ada1edecf5b2c614afa35c0185d2b33f2a

SHA512
d8b19d1bfee8e173c1addd9748a877cc944a2936d270e5690b6337608b699a102f49c33d313810d2922e177631987373b989461d097ee38bd09f7704f3d3bdb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
341b8776133b00e2d9b9845dd0debd7e

SHA1
ff99773e2d4d177d654f0f4931270fb6f8c4ceed

SHA256
7ca3f3834edbef03b46c696bdb5a4c5d62634e510dcde514229afef9ad07c5fe

SHA512
dc704a005fcb3dda03de677dc75bf989d92ccfee97c99b093c8729afb3f25e211dc99d089dabff20e1bdf7663941440064e8c195a6b874cfbea13ee03f3d880c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
17c3af3d9944ee924ed3238d5ab6ff7e

SHA1
94d66c1ab1f5da45a2694bae70221e2de1ffedaa

SHA256
eced67a9f63163e85e776694c5b7b6994eda16bfc91307c6a66fe5ef2a7e8e24

SHA512
a373518f3b82c44321d57c96cd43c70dd4904e9e8de7688e747a0900651a58070d11b968de8c9e02638f2f30faf2c324874c20db17ee356116f240a329693cc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
45230de8e2c10cc0dcb9ccb3400fe723

SHA1
ecefc119be8b5849254775dfa65c972fe2790c0f

SHA256
c5cc695b2434c501b187ddd4d787922c5c28721f5d69e42dfe8795ee78413ebb

SHA512
1f1d9a00db67f69bb7efcc2f0f17f424f50143bb76596895b02ef9cc8bb53ec2639f668ff791025a8f951169d39d7f86a781593d36bfaeff80245221f1d8fe93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dca575f42f54932adc46fbb4aca9ba69

SHA1
196805eca1638b41a13767feb5d5d67cf6350fcb

SHA256
11e046245ef88fef076b9ddf8a7bd574b8907e820de38bcede5fec9867c76345

SHA512
e069ee8c6a6fdcfc4d9c7f4332158388cf70d69fe8fab955941d94807238623c6e99df4202d8a0d8906878dc7716cb6eb0ef720e43e19220bb4b3e65fe5717c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
aecb7e0ff4d4683c7a25694e4e83e035

SHA1
b2d7ebeebdec261d676e1442156d859705852d65

SHA256
e05475f32d37c7957796ec5fce10afdbf1ba71e9997468a6348272c4ddf0c5cb

SHA512
d075752e82dedeca1522da41f4e3929e05aed31d15b7ebbd4c3434a0c377270f43696e43f1f24e24d2a0c6ec3a810e0e8433b557984168462c8072f05754b4b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e5ea0cb58a29ab826bd922a9aa2a2e98

SHA1
e2b69d1b4d8be7d695db08cd3a19e44a481c7f39

SHA256
b48a56a08036d7770b7166a06aadb3ff05d64478efe94a916ce38cc8f9db83dd

SHA512
b6342b9ce0409a4a65894be977379ca4bfc55eb338412bddec4ab34c877f3d82ad1ababbaf03fc12c5e847d4d80259a06c59ae548f19e47ae40889c7f9b6754a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d55162854e2262f7906ea351245cd097

SHA1
3638984877c2a165224cab83c5494cdaa6411b48

SHA256
676f6f5ddf0a43ed40661e738383f1c92b7f455a38a5d09f18bf89ce73f53720

SHA512
1edce3f0211ade5d1644b0c392ba6a1edd243ccd7ad95713885c18388d6606273aef24b6882ae5d6e9e7ad3c88110a697c61a0868e86a07b97c2ddf6e745d448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\943080~1
Filesize
342B

MD5
45230de8e2c10cc0dcb9ccb3400fe723

SHA1
ecefc119be8b5849254775dfa65c972fe2790c0f

SHA256
c5cc695b2434c501b187ddd4d787922c5c28721f5d69e42dfe8795ee78413ebb

SHA512
1f1d9a00db67f69bb7efcc2f0f17f424f50143bb76596895b02ef9cc8bb53ec2639f668ff791025a8f951169d39d7f86a781593d36bfaeff80245221f1d8fe93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
92dc9b21a6808ab1147964cadcc6c935

SHA1
8047c8f820bfb32aa479899ab3a8a1cd4d1b5a22

SHA256
ad27d856896bb7c5e326861a98c6c702d89c77e2cbe2e0b22f57f85aebacd197

SHA512
d54aaa45a9535e6bff47cfc9064f9452c5f60bb29b63707d688ff36ffbf306a5d77cdfb2796dddc5beda1f27be72c83e59e81ebef49e3c8accb8f8e8f8630ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
17b2fa53653594a7d4134c1571e4036e

SHA1
71d88e0af6c001e08b862d973ec2efa2db377e81

SHA256
4ba3857b0a52c96366357b6baed92eaecaa8b761726312b9292354fa8648a927

SHA512
e23d31e8582d97f85b3d9c7d272b34b4039a4bb4f9621645e08024d81d6570e29f1babf3c134b4553b450d47e274228d2fbd8657c00bd6441af4d346b8be7d9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240~1
Filesize
458B

MD5
2bfc4a5530bab1d9838c40e41dd02468

SHA1
1fbfca35f47359b230e5c4214e6d6360109af86f

SHA256
0fa63438d684bb891e9e29b2b950fba1a1c4c3a2073d67470acc752c8bd233d8

SHA512
67fdef036ce2f5a2e6af7bf46e3a62babb9bd72275937936e3e66439c32bcca869c90704e5d1bbebf2ec1d230847a38343db23137c8a272fb5ee3879ddacc536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
62b88e7f83d5d45915100ac0c4b51ef5

SHA1
a97dd1dd93acd1661bac7db16973861fcc0634fa

SHA256
65ad4d85edb083753ab11e8fd8f635de9d0f7c8b13652b010778e5804a57ae41

SHA512
6bff44f9a9dff9fea77e3ba82ea6d8a94adbc4982673f6a6c4cf573831daf8d8f88f4f82860d456aa8bef517db35ede9a3d0f5f0b6f9ff7d6198bcdd36b1b916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725~1
Filesize
432B

MD5
23e4325459801992b8cf14317ab35a80

SHA1
1f0fbbeb4c3f22dfd33c8cd80c258d4d81fcc540

SHA256
46360f272a184474f0c22247e9cd80b1d5c9111a9c935eb7b1f5f0f86693925e

SHA512
106d92dee67ed0bfb65fa822dd757ebe170422baa79c08c82a578c856aaefee2af7cf38e8270d5278ec78487f8188b852cf06a86381529c4692b288e20e5e11c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602~1
Filesize
470B

MD5
8c8caa1051b2af1745352c2594501a78

SHA1
64b7a86ba6e3fae79c680c0b6551b496fd4b3f3a

SHA256
6f8f2fa5b4f6e6b5e8f47176dddb105da545a94e116af8bb1e1cd9ef3640ad39

SHA512
4d0e26f25594288687698770b6e34a0b32fb60effc89a3d03556e400c36c82eb04572c5d50c3bd0d277e5b515903ba0e1faae2349739ed4d91f4f01ad82f4560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF470~1
Filesize
392B

MD5
b2174972c68767937fe29e689672139c

SHA1
ff8b248408a85cb62f7277d9b13a65ceace203b9

SHA256
436083720d6412b3cfc1f4fd957a8db0b4a3d538c48787f5b39120fa8620a540

SHA512
8120d078ca7a7909c695bf210fdad5c6c84e181155c87e116e4956815fe67b1232035e0e81f7ec03d53077f1d197f2c61fd3f8ee02a1b4e80b8c7f5c1a712652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C5~1
Filesize
252B

MD5
fdbc4e4f12694deba0af55c15fced942

SHA1
b867ec493746fe7eb3e039e0e8664cc94d0252d6

SHA256
e62dbe41f7aa057e7b2dff7fef4e3d88ebef6f014d66f3ef24d4408c94dfa760

SHA512
4b184a6e7837b21cb3708704864c9052d0ae300703c65498f58d6bd4f628d3701416b242f7aeaff7da92749822a47460522e17be2e75112fc14a19094357cab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE9~1
Filesize
406B

MD5
a4a5abfc5cc2dd929db8b8a4413acc0b

SHA1
3e9a9789bd2eaf0a6a8548dc18e576dc5882c129

SHA256
751d6424327a0219b49f48a01d03666541397036834a81373938f760a9d0c1d7

SHA512
c728aca8a196392832b8e802f067264d3ee9b9de5ef1b32acb36845c9a966f9d2e954eed8e01ebaf5565ac563da57dabb8e4d76ea0f6dcb4ab0fed96ec901f0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644~1
Filesize
406B

MD5
ed37f6a4bd101e826e75b9eabd56059a

SHA1
0955118a8509d7578e9b408fab9289a6a538b717

SHA256
0983c8dd9163e8215dfdfdf02e3c8a9d68d029bd515f1f5e09565a473341823e

SHA512
d1ca26ff597927e79309257b89d802feb83448d098be7725f9d2967dc321bb65be0e6c15ffc69ef9618e5624accccd9df31ff8d6721288f9286de60a1be23378

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
38737e9bbc6cb9bc4c18e24df3b08e36

SHA1
f739660cb13b3930c705b99672d5249cefdfb54c

SHA256
916dcff6e035bbc6399c66e8c68fcc1023591bd50378501185465077d9278910

SHA512
27be71d55af89c625a2b704412f9ddd8e7e257dfd1c1099bb0e56966e16875df9462806cb69448695f13bc90362dad0c004c7e2b5398918bd0fba5c6eff452ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF~1
Filesize
242B

MD5
38737e9bbc6cb9bc4c18e24df3b08e36

SHA1
f739660cb13b3930c705b99672d5249cefdfb54c

SHA256
916dcff6e035bbc6399c66e8c68fcc1023591bd50378501185465077d9278910

SHA512
27be71d55af89c625a2b704412f9ddd8e7e257dfd1c1099bb0e56966e16875df9462806cb69448695f13bc90362dad0c004c7e2b5398918bd0fba5c6eff452ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD~1
Filesize
402B

MD5
67f6713042bad3f9f12d5105cfc8d85f

SHA1
fa411c0703e17857c4eb8b2a6e6c759f97f86385

SHA256
185cae2b8ee63949123ffc1a6e4dd902c5dddd5759f8c17118dbc02664a650d8

SHA512
0fbae97dd6aa755f63d7c66a1b18e1985b53aba49b01292315832dc8eb7e14fcf5c7ce5f14322ff897815f01d5609f085a27e23cb06813d325a8dce8e3ac88ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RECOVE~1.DAT
Filesize
5KB

MD5
d64cf8f56a0b57fdeb698b83b363b593

SHA1
6330e53ab2bc774534fc40eb072e837a060869e8

SHA256
277d396e034148cc467c007bcd1f55d1d9d210343a088e3fdd9b5fcc2bbe087f

SHA512
2f31023ebab0b1f8e4643c677d758fde68a451f573966320355dcfbaba346773ca4a8a5275c9c0d1121d4635f526d6b3e748cbd084d5a6390cb8dd6f857ce7da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RECOVE~1.DAT
Filesize
5KB

MD5
bda9363e364092dde4830bc4e31f444c

SHA1
53c9645a6a9630ef5c4c55a237c8923977e066af

SHA256
513e087ea3a401f9d4b69cc841aad4d58c6efb6d56f3091a2d9565d0feba0781

SHA512
ba06ee2a0306ea31cbda9ccbae98b2c3baf3d4f3303ff076805c05638966e533b21ec0380f8e28d74f33b516a7e2a75a91a797ee9ca97f0315694e44f3009d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8E8CE~1.DAT
Filesize
4KB

MD5
bf05e6054cafd2ef1363fffa86da4295

SHA1
8c82d0ee8e4b8d62f93876c313db8b8cd0ccf296

SHA256
79ae79d37d6e1cdfca7a3a69535f96d79dfe5d7e4b0851113b2baf2e2a9b26ea

SHA512
deb8009f967cc33efdbc6c4437421459fea5111beda19b0be8fb16378a363787b895c5ba6edb76eefe1dd0848ce696a5bfbcb5cc04125deb6a9f30ff9b9fc3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8E8CE~1.DAT
Filesize
4KB

MD5
2dfe71998be2c60b339013a7871e7e32

SHA1
dabf33aaa796c80b12fb722548751efa21f9f5e0

SHA256
a0ecd2c817d46c066a3bbfb394508baffed316fff4ecfb7c2fb6b4e1b852eb77

SHA512
93fcf6609d2619749f3e57632cfb4146c7cc6d64a38992ed4bf0c7a644bd8a6c7f649b765d937bc1daaf8857a034fcab71ec0cc6464fa2a2024005923401d994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{984DB~1.DAT
Filesize
3KB

MD5
e7be735b42375f0ddd6dad79e05b9c75

SHA1
c0007575817e3328a0ca1d863aa37e736d8abf15

SHA256
b330c696ba2bf6da0ab18c9cb36511c44fe57740c1220d17eb7d0d11d7c82d4c

SHA512
11c96bc203e59de20c487e3469028d75d8eb1f6ca33ac7b0ef8bfa5acf05e044e3fc349ed101c336f84aae04ead7079e5de53ed9c518be3b599fde91bfcd3a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z62wpf5\imagestore.dat
Filesize
20KB

MD5
879830828fc9cb0ad3266ff68a0eb18b

SHA1
a0981903a3fe6169f949c3c3fa33b61c982dcadc

SHA256
1a57a4bd65746ae893245569962c6516dcb89636dde199ab90af73777301f736

SHA512
ded57f651c2a5906a3f276bc72b8976caa918f230101be9a7cec9340391038a20416ce3c05c2351c82bb63f0215204b9f1f649ceab39eb9a67f88aa67ce5a194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini
Filesize
130B

MD5
941682911c20b2dabecb20476f91c98a

SHA1
0b0becf019cb15e75cdfa23bf0d4cb976f109baa

SHA256
3fef99e07b0455f88a5bb59e83329d0bfcebe078d907985d0abf70be26b9b89a

SHA512
a12f5caf5fd39cf2ae600e4378b9296d07787a83ae76bc410b89182a2f8e3202c4ca80d811d548193dff439541de9447f9fa141ebfd771e7ab7a6053cb4af2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\favicon-8f8be32076803305bd39913d14e9f28567adc474d60a95af6e0d21282302ce6a[1].ico
Filesize
15KB

MD5
91b5b75e4f52df43982200873c1feef6

SHA1
8a01193959229d10a361d4965e305490544c428c

SHA256
17cae8213bf0fbeae27b644f0616b74981f348af943f27b73abf8e7b3a557b8f

SHA512
8561f92fe9ee36c7576a150e11bf4ae2cf97fd99d8e9ebad1b1d537dfb884444fc40e0161f2f53f250f2d96da628ae04af2c75483e48696e62557f35eca72e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CCF.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF31B~1.TMP
Filesize
16KB

MD5
bc5873f76c65dedc0a748f6668ba458f

SHA1
a822a837483be8123573d1493be0aed102b41b4c

SHA256
d95d9959a4fef98c2ba8bdfef315a6dcdacc12b1198d0a6958ca4b2d037b8ede

SHA512
60c4f9663908b56553b723dd85535e24e4911422bbc7f4fcd20f95c00f4d35c279a4a8489df646b80cc77f9527c050033a71ed219e5f43eb266baf90e612611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF74C~1.TMP
Filesize
16KB

MD5
0322753f8084651c16799eaa4c2ca574

SHA1
45a65ff4d58af96c8362eb98acaa2ce39511d0d5

SHA256
7e365d49fc8c7c4c0d1403872b44783685918f5b8fcc4a6e3c6c260d93a33b2e

SHA512
907c95c9b588a006b3f384ddad961f38f45dcc22cd3d5f6c36aca47fe26c1fb0ca78a170718bdbf56924be1799afd8ed263234b25103b35d9ff867c75131b3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB32~1.TMP
Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
memory/1560-54-0x0000000140000000-0x0000000140567000-memory.dmp

Filesize
5.4MB

Download