xenorat | 66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223

Analysis

max time kernel
127s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InternalLoader v2.exe
Size

955KB
MD5

94f798a6cc5738e8924c9c0b3d2abb1e
SHA1

5714cb7b382dab9977c99c94294561bc42d3166e
SHA256

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223
SHA512

7b301bddf5d8a3602805754dc995bb4ee88c957b1029e3a17a0ed10d85cc60b1c603a8953a521cae283c39e2ecf69e1253db92cc89dacd46a45d2c72837ce0e4
SSDEEP

24576:duDXTIGaPhEYzUzA0qxUAUBqG8DCRG7F9V5:ADjlabwz9M7WRG59V5

Score

10^/10

xenorat defense_evasion evasion execution impact persistence ransomware rat trojan

Malware Config

Extracted

Family

xenorat

23.243.100.240

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Windows Security

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

InternalLoader2.exe

description	ioc	process
File created	C:\Windows\System32\drivers\spotifyHResultInstaller.sys	InternalLoader2.exe
File created	C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe	InternalLoader2.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spotifyHResultInstaller.exeinjector.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dQDbesygfrMwuPmZJIv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dQDbesygfrMwuPmZJIv"	spotifyHResultInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	injector.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InternalLoader v2.exeinjector.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	InternalLoader v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	injector.exe

Executes dropped EXE 3 IoCs

Processes:

InternalLoader2.exespotifyHResultInstaller.exeinjector.exe

pid process

2068 InternalLoader2.exe
4076 spotifyHResultInstaller.exe
4880 injector.exe
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

fsutil.exefsutil.exefsutil.exe

description ioc process

File opened (read-only) \??\F: fsutil.exe
File opened (read-only) \??\D: fsutil.exe
File opened (read-only) \??\E: fsutil.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

50 raw.githubusercontent.com
51 raw.githubusercontent.com
55 raw.githubusercontent.com
56 raw.githubusercontent.com

pid	process
2068	InternalLoader2.exe
4076	spotifyHResultInstaller.exe
4880	injector.exe

description	ioc	process
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4792 sc.exe
3224 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4792	sc.exe
3224	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "2787620314-2172020521-1728624429"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "2787620314-2172020521-1728624429"	reg.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

5048 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4752 vssadmin.exe

pid	process
5048	ipconfig.exe

pid	process
4752	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4076	taskkill.exe
3928	taskkill.exe
4892	taskkill.exe
4644	taskkill.exe
668	taskkill.exe
2848	taskkill.exe
2604	taskkill.exe
2696	taskkill.exe
3236	taskkill.exe
4920	taskkill.exe
1708	taskkill.exe
1360	taskkill.exe
4788	taskkill.exe
2032	taskkill.exe
1712	taskkill.exe
3924	taskkill.exe
3704	taskkill.exe
1404	taskkill.exe
2404	taskkill.exe
4300	taskkill.exe
2500	taskkill.exe
5064	taskkill.exe
2948	taskkill.exe
3796	taskkill.exe
1224	taskkill.exe
1272	taskkill.exe
1644	taskkill.exe
3292	taskkill.exe
1988	taskkill.exe
3504	taskkill.exe
1460	taskkill.exe
5072	taskkill.exe
4328	taskkill.exe
4652	taskkill.exe
3860	taskkill.exe
1148	taskkill.exe
4412	taskkill.exe
4920	taskkill.exe
3484	taskkill.exe
1208	taskkill.exe
4400	taskkill.exe
5100	taskkill.exe
1704	taskkill.exe
3436	taskkill.exe
3920	taskkill.exe
1840	taskkill.exe
1704	taskkill.exe
1392	taskkill.exe
2768	taskkill.exe
1704	taskkill.exe
5096	taskkill.exe
1844	taskkill.exe
4024	taskkill.exe
3852	taskkill.exe
4328	taskkill.exe
2032	taskkill.exe
4260	taskkill.exe
2592	taskkill.exe
1212	taskkill.exe
1500	taskkill.exe
3760	taskkill.exe
3856	taskkill.exe
948	taskkill.exe
3916	taskkill.exe

Modifies registry key 1 TTPs 52 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
544	reg.exe
3444	reg.exe
4604	reg.exe
4528	reg.exe
1776	reg.exe
4568	reg.exe
4276	reg.exe
3012	reg.exe
2744	reg.exe
964	reg.exe
900	reg.exe
1300	reg.exe
2236	reg.exe
1964	reg.exe
3040	reg.exe
3036	reg.exe
4496	reg.exe
3928	reg.exe
2476	reg.exe
3404	reg.exe
1896	reg.exe
2440	reg.exe
2288	reg.exe
908	reg.exe
4980	reg.exe
2696	reg.exe
4860	reg.exe
1520	reg.exe
4748	reg.exe
2884	reg.exe
4292	reg.exe
3420	reg.exe
4640	reg.exe
1836	reg.exe
4076	reg.exe
4984	reg.exe
4916	reg.exe
4780	reg.exe
1716	reg.exe
864	reg.exe
4348	reg.exe
1712	reg.exe
1248	reg.exe
2720	reg.exe
548	reg.exe
456	reg.exe
1644	reg.exe
4188	reg.exe
4732	reg.exe
2796	reg.exe
1988	reg.exe
4824	reg.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3056 powershell.exe
3056 powershell.exe
2204 powershell.exe
2204 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

spotifyHResultInstaller.exeinjector.exe

pid process

4076 spotifyHResultInstaller.exe
4880 injector.exe

pid	process
3056	powershell.exe
3056	powershell.exe
2204	powershell.exe
2204	powershell.exe

pid	process
4076	spotifyHResultInstaller.exe
4880	injector.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

spotifyHResultInstaller.exepowershell.exevssvc.exepowershell.exesvchost.exe

description	pid	process
Token: SeLoadDriverPrivilege	4076	spotifyHResultInstaller.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeBackupPrivilege	2476	vssvc.exe
Token: SeRestorePrivilege	2476	vssvc.exe
Token: SeAuditPrivilege	2476	vssvc.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeIncreaseQuotaPrivilege	2204	powershell.exe
Token: SeSecurityPrivilege	2204	powershell.exe
Token: SeTakeOwnershipPrivilege	2204	powershell.exe
Token: SeLoadDriverPrivilege	2204	powershell.exe
Token: SeSystemProfilePrivilege	2204	powershell.exe
Token: SeSystemtimePrivilege	2204	powershell.exe
Token: SeProfSingleProcessPrivilege	2204	powershell.exe
Token: SeIncBasePriorityPrivilege	2204	powershell.exe
Token: SeCreatePagefilePrivilege	2204	powershell.exe
Token: SeBackupPrivilege	2204	powershell.exe
Token: SeRestorePrivilege	2204	powershell.exe
Token: SeShutdownPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeSystemEnvironmentPrivilege	2204	powershell.exe
Token: SeRemoteShutdownPrivilege	2204	powershell.exe
Token: SeUndockPrivilege	2204	powershell.exe
Token: SeManageVolumePrivilege	2204	powershell.exe
Token: 33	2204	powershell.exe
Token: 34	2204	powershell.exe
Token: 35	2204	powershell.exe
Token: 36	2204	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4408	svchost.exe
Token: SeIncreaseQuotaPrivilege	4408	svchost.exe
Token: SeSecurityPrivilege	4408	svchost.exe
Token: SeTakeOwnershipPrivilege	4408	svchost.exe
Token: SeLoadDriverPrivilege	4408	svchost.exe
Token: SeSystemtimePrivilege	4408	svchost.exe
Token: SeBackupPrivilege	4408	svchost.exe
Token: SeRestorePrivilege	4408	svchost.exe
Token: SeShutdownPrivilege	4408	svchost.exe
Token: SeSystemEnvironmentPrivilege	4408	svchost.exe
Token: SeUndockPrivilege	4408	svchost.exe
Token: SeManageVolumePrivilege	4408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4408	svchost.exe
Token: SeIncreaseQuotaPrivilege	4408	svchost.exe
Token: SeSecurityPrivilege	4408	svchost.exe
Token: SeTakeOwnershipPrivilege	4408	svchost.exe
Token: SeLoadDriverPrivilege	4408	svchost.exe
Token: SeSystemtimePrivilege	4408	svchost.exe
Token: SeBackupPrivilege	4408	svchost.exe
Token: SeRestorePrivilege	4408	svchost.exe
Token: SeShutdownPrivilege	4408	svchost.exe
Token: SeSystemEnvironmentPrivilege	4408	svchost.exe
Token: SeUndockPrivilege	4408	svchost.exe
Token: SeManageVolumePrivilege	4408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4408	svchost.exe
Token: SeIncreaseQuotaPrivilege	4408	svchost.exe
Token: SeSecurityPrivilege	4408	svchost.exe
Token: SeTakeOwnershipPrivilege	4408	svchost.exe
Token: SeLoadDriverPrivilege	4408	svchost.exe
Token: SeSystemtimePrivilege	4408	svchost.exe
Token: SeBackupPrivilege	4408	svchost.exe
Token: SeRestorePrivilege	4408	svchost.exe
Token: SeShutdownPrivilege	4408	svchost.exe
Token: SeSystemEnvironmentPrivilege	4408	svchost.exe
Token: SeUndockPrivilege	4408	svchost.exe
Token: SeManageVolumePrivilege	4408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4408	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

InternalLoader v2.exeInternalLoader2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4504 wrote to memory of 2068	4504	InternalLoader v2.exe	InternalLoader2.exe
PID 4504 wrote to memory of 2068	4504	InternalLoader v2.exe	InternalLoader2.exe
PID 2068 wrote to memory of 2440	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 2440	2068	InternalLoader2.exe	cmd.exe
PID 2440 wrote to memory of 2444	2440	cmd.exe	certutil.exe
PID 2440 wrote to memory of 2444	2440	cmd.exe	certutil.exe
PID 2440 wrote to memory of 4320	2440	cmd.exe	find.exe
PID 2440 wrote to memory of 4320	2440	cmd.exe	find.exe
PID 2440 wrote to memory of 2816	2440	cmd.exe	find.exe
PID 2440 wrote to memory of 2816	2440	cmd.exe	find.exe
PID 2068 wrote to memory of 3644	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 3644	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 1000	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 1000	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 3176	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 3176	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 4948	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 4948	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 2028	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 2028	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 628	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 628	2068	InternalLoader2.exe	cmd.exe
PID 628 wrote to memory of 4076	628	cmd.exe	spotifyHResultInstaller.exe
PID 628 wrote to memory of 4076	628	cmd.exe	spotifyHResultInstaller.exe
PID 2068 wrote to memory of 3656	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 3656	2068	InternalLoader2.exe	cmd.exe
PID 3656 wrote to memory of 3040	3656	cmd.exe	reg.exe
PID 3656 wrote to memory of 3040	3656	cmd.exe	reg.exe
PID 2068 wrote to memory of 4476	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 4476	2068	InternalLoader2.exe	cmd.exe
PID 4476 wrote to memory of 2696	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2696	4476	cmd.exe	reg.exe
PID 2068 wrote to memory of 4448	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 4448	2068	InternalLoader2.exe	cmd.exe
PID 4448 wrote to memory of 1896	4448	cmd.exe	reg.exe
PID 4448 wrote to memory of 1896	4448	cmd.exe	reg.exe
PID 2068 wrote to memory of 1508	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 1508	2068	InternalLoader2.exe	cmd.exe
PID 1508 wrote to memory of 4568	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 4568	1508	cmd.exe	reg.exe
PID 2068 wrote to memory of 3624	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 3624	2068	InternalLoader2.exe	cmd.exe
PID 3624 wrote to memory of 964	3624	cmd.exe	reg.exe
PID 3624 wrote to memory of 964	3624	cmd.exe	reg.exe
PID 2068 wrote to memory of 904	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 904	2068	InternalLoader2.exe	cmd.exe
PID 904 wrote to memory of 4860	904	cmd.exe	reg.exe
PID 904 wrote to memory of 4860	904	cmd.exe	reg.exe
PID 2068 wrote to memory of 4972	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 4972	2068	InternalLoader2.exe	cmd.exe
PID 4972 wrote to memory of 900	4972	cmd.exe	reg.exe
PID 4972 wrote to memory of 900	4972	cmd.exe	reg.exe
PID 2068 wrote to memory of 2596	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 2596	2068	InternalLoader2.exe	cmd.exe
PID 2596 wrote to memory of 1520	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1520	2596	cmd.exe	reg.exe
PID 2068 wrote to memory of 2020	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 2020	2068	InternalLoader2.exe	cmd.exe
PID 2020 wrote to memory of 3036	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 3036	2020	cmd.exe	reg.exe
PID 2068 wrote to memory of 1160	2068	InternalLoader2.exe	cmd.exe
PID 2068 wrote to memory of 1160	2068	InternalLoader2.exe	cmd.exe
PID 1160 wrote to memory of 2796	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 2796	1160	cmd.exe	reg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\InternalLoader v2.exe
"C:\Users\Admin\AppData\Local\Temp\InternalLoader v2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5
4⤵
PID:2444

C:\Windows\system32\find.exe
find /i /v "md5"
4⤵
PID:4320

C:\Windows\system32\find.exe
find /i /v "certutil"
4⤵
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe C:\Windows\System32\drivers\spotifyHResultInstaller.sys
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe
C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe C:\Windows\System32\drivers\spotifyHResultInstaller.sys
4⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 27876 /f
4⤵
- Modifies registry key
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 27876 /f
4⤵
- Modifies registry key
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2787620314-2172020521-1728624429} /f
4⤵
- Modifies registry key
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2787620314-2172020521-1728624429} /f
4⤵
- Modifies registry key
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2787620314-2172020521-1728624429} /f
4⤵
- Modifies registry key
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
PID:3556

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:1604

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:2684

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:4812

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:4408

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3644

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3984

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3436

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Enumerates system info in registry
- Modifies registry key
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:1892

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Enumerates system info in registry
- Modifies registry key
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
3⤵
PID:1236

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {2787620314-2172020521-1728624429} /f
4⤵
- Modifies registry key
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
PID:1800

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
PID:448

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d%Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
PID:3236

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d2787620314-2172020521-1728624429 /f
4⤵
- Modifies registry key
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:824

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
PID:3056

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
3⤵
PID:1572

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:1420

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3432

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:532

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:4508

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3648

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:1816

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3088

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:2016

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:3780

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:4720

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
3⤵
PID:4996

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2787931063-681611817-2760128356 /f
4⤵
- Modifies registry key
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f
3⤵
PID:4180

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {2787931063-681611817-2760128356} /f
4⤵
- Modifies registry key
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f
3⤵
PID:1324

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {2787931063-681611817-2760128356} /f
4⤵
- Modifies registry key
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\MountedDevices /f
3⤵
PID:2692

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\MountedDevices /f
4⤵
- Modifies registry key
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:2060

C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
4⤵
- Modifies registry key
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:1044

C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
4⤵
- Modifies registry key
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:3424

C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
4⤵
- Modifies registry key
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
PID:804

C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
4⤵
- Modifies registry key
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
PID:3016

C:\Windows\system32\reg.exe
REG DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
4⤵
- Modifies registry key
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
3⤵
PID:2832

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
4⤵
- Modifies registry key
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
3⤵
PID:1568

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
4⤵
- Modifies registry key
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
3⤵
PID:4480

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
4⤵
- Modifies registry key
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
PID:2400

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
4⤵
- Modifies registry key
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
PID:4280

C:\Windows\system32\reg.exe
REG DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
4⤵
- Checks processor information in registry
- Modifies registry key
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
PID:3704

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
4⤵
- Modifies registry key
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
PID:3476

C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
4⤵
- Modifies registry key
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop winmgmt >nul
3⤵
PID:1208

C:\Windows\system32\sc.exe
sc stop winmgmt
4⤵
- Launches sc.exe
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc start winmgmt >nul
3⤵
PID:4956

C:\Windows\system32\sc.exe
sc start winmgmt
4⤵
- Launches sc.exe
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul
3⤵
PID:1804

C:\Windows\system32\net.exe
net stop winmgmt /y
4⤵
PID:2112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
5⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul
3⤵
PID:2440

C:\Windows\system32\net.exe
net start winmgmt /y
4⤵
PID:4812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt /y
5⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns >nul
3⤵
PID:2404

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
4⤵
- Gathers network information
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int reset all >nul
3⤵
PID:3616

C:\Windows\system32\netsh.exe
netsh int reset all
4⤵
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ipv4 reset >nul
3⤵
PID:3604

C:\Windows\system32\netsh.exe
netsh int ipv4 reset
4⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ipv6 reset >nul
3⤵
PID:1096

C:\Windows\system32\netsh.exe
netsh int ipv6 reset
4⤵
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset >nul
3⤵
PID:4940

C:\Windows\system32\netsh.exe
netsh winsock reset
4⤵
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell vssadmin delete shadows /all >nul
3⤵
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell vssadmin delete shadows /all
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all
5⤵
- Interacts with shadow copies
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Reset-PhysicalDisk * >nul
3⤵
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Reset-PhysicalDisk *
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n C: >nul
3⤵
PID:4852

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n C:
4⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n D: >nul
3⤵
PID:3868

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n D:
4⤵
- Enumerates connected drives
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n E: >nul
3⤵
PID:4300

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n E:
4⤵
- Enumerates connected drives
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n F: >nul
3⤵
PID:2340

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n F:
4⤵
- Enumerates connected drives
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\System32\restore\MachineGuid.txt >nul
3⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\IndexerVolumeGuid >nul
3⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\tracking.log >nul
3⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.dev.log >nul
3⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.setup.log >nul
3⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp >nul
3⤵
PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp >nul
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch >nul
3⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exit
3⤵
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Default\AppData\Roaming\injector.exe
3⤵
PID:3000

C:\Users\Default\AppData\Roaming\injector.exe
C:\Users\Default\AppData\Roaming\injector.exe
4⤵
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:4368

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:3244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:4612

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4320

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:2404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1136

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:3436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:948

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1036

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:1712

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:5096

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1300

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:3160

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:744

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:3796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:1432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3980

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:3600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:3556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:2960

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:3676

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1924

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:3224

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:2604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:2768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:2404

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1952

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:1460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:1376

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:3604

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:4740

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3248

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3416

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:3656

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:4300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1948

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:3016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:628

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:4332

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2520

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3960

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:3612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1208

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:3484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1492

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:2960

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1436

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:2948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3268

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:4368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:3508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1580

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:1332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:3136

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1904

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:5020

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3632

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:2064

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:3796

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:3852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:4996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:3928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:1120

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:3760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3172

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:1272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:1384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:664

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:1756

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:3676

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:4040

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:1892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2404

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:3236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1280

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:4396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:3440

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:3140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:3856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:1160

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:3292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3568

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4616

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:4568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4236

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:4288

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:3416

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:3484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:4184

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:2848

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:5044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4696

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:3924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:116

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:2592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1080

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:3968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2628

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:3188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:428

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3236

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:4400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4476

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:2404

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:3348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:4412

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:2996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:3744

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:4016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3656

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:3580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:1272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3612

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:996

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:1324

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:4044

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:2592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4588

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:4844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:4172

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:5100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3444

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:4632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:2356

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:3796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:532

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:4644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4396

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3508

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:3868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1332

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:1392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2240

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:4424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3812

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1184

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:2520

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:4448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:2796

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:3484

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:2076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:2124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:3804

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:4844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:2364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3268

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:1360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:1352

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3588

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:3344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3540

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:3860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1172

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:4264

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:4476

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
- Kills process with taskkill
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:1492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:4916

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:4864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1184

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:996

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:4812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:2800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1756

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:4440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2444

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:2768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:3504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3532

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:2948

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
- Kills process with taskkill
PID:4260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:1148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:2960

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
- Kills process with taskkill
PID:3704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:2204

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2736

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
PID:4412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3588

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
- Kills process with taskkill
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:532

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:4884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:1300

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:3600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:1900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:4752

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:2944

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:1272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:3500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:544

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:3484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:1208

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
- Kills process with taskkill
PID:3916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:1128

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
PID:3668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:864

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
5⤵
PID:3420

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
6⤵
- Kills process with taskkill
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
5⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
6⤵
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
5⤵
PID:1000

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
6⤵
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
5⤵
PID:3704

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
6⤵
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
5⤵
PID:3968

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
6⤵
PID:2704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
5⤵
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
6⤵
- Kills process with taskkill
PID:4412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
5⤵
PID:2328

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
6⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize
471B

MD5
2affd683839fddfda9403e5cb50a25f4

SHA1
b002826b55ad334de430340924c37c5807ae5445

SHA256
ae350fda0e006fda889fe6df45a2f20076e748d8ee307f1bdf2773fbb265a07c

SHA512
3a72aec0a3c2f340697c4524a2015661b0a2443ef2f47dd7f5f403f5ae2f11c9d5d899d0da9ff77b5507949eb7cbbabff2485d0baf1d569ef9fc36b6486150be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize
412B

MD5
485f2ea0bad83ddc51045df84b791570

SHA1
85ae2d91b4396c35219857ffb2de507a1d3b6924

SHA256
8d1c7d5daca5fc42d671a405ea105edd7013f9f2463233891041ad561d55cbd7

SHA512
3d4001adced80a03623bc4cd16b1fc8228503db57e1fdffea848664a383f3706d1b8167b443489b64e9694c23da3c8a3ce50273ba4f66ce326c27a778c34a98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
Filesize
588KB

MD5
2582a8dfdf77e54747a2e84a27377131

SHA1
87a91b5cd34f2ed215a0092997ce2989a333b920

SHA256
38ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20

SHA512
f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RUNTIM~1.EXE
Filesize
45KB

MD5
888405f1ed21b89ac08343458251bf26

SHA1
4c9b54da2336376441af26ed4bedcd6fda1b316f

SHA256
a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859

SHA512
4280eddeaba17692a542ab11e1ad92cde5aedd0857990bea01dbd967334801318fd5c31519e58af021ff07c7cf37c2cea6c99502d7f7c1b26852cfb935e3a2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ivep2ymj.z0c.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\AppData\Roaming\injector.exe
Filesize
6.0MB

MD5
883f82d264966f767d881d0247d35782

SHA1
a255b679824c4514d296cddeebb4bf5ab66aa3b6

SHA256
8f3abe6f403520bd76e9969da8f57c48eca0840c9c631ed12aeaa390f089a07e

SHA512
31d5aa29355c1a1d8b67546bfc32b3f9bbd81d7082b43e74e52f1fc7fcfd35a90e199ef9aded7752c8f88965ecb7f0a7eb8bb5771be0c1600915b3e3622c4936

Download Submit
C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe
Filesize
119KB

MD5
324330f343df4ac2f7f20db2c15f5e11

SHA1
835f87e709702252065348bc7cf2f5d531c2ba38

SHA256
b84a7b9233e5f6f2182535c0de85deb2375c6218fda5070b624710fcd7e74878

SHA512
ec8c085a0305b72bade63f020df73dcb79da736418ac0c70d9dd4fb79415a6d6e5dd78d733e06062019f6a28412295581774035aae4a0aacecbcd703c53f71b9

Download Submit
memory/2204-54-0x00000193EF240000-0x00000193EF26A000-memory.dmp

Filesize
168KB

Download
memory/2204-55-0x00000193EF240000-0x00000193EF264000-memory.dmp

Filesize
144KB

Download
memory/3056-40-0x00000259CABC0000-0x00000259CABE2000-memory.dmp

Filesize
136KB

Download
memory/4880-73-0x00007FF7750F0000-0x00007FF7756F6000-memory.dmp

Filesize
6.0MB

Download
memory/4880-75-0x00007FF7750F0000-0x00007FF7756F6000-memory.dmp

Filesize
6.0MB

Download