Malware Analysis Report

2024-09-09 18:59

Sample ID 240618-nchlbs1cpb
Target untraceable.rar
SHA256 f7ffda8d8e1949fa2b1cbba487da7a3f441e72738cae3464fbde37d4ff161ac1
Tags
evasion persistence privilege_escalation spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f7ffda8d8e1949fa2b1cbba487da7a3f441e72738cae3464fbde37d4ff161ac1

Threat Level: Likely malicious

The file untraceable.rar was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence privilege_escalation spyware stealer

Modifies Windows Firewall

Reads user/profile data of web browsers

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 11:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 11:14

Reported

2024-06-18 11:15

Platform

win10v2004-20240611-en

Max time kernel

19s

Max time network

21s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\untraceable.rar

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 3128 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2940 wrote to memory of 3128 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2940 wrote to memory of 3128 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 3128 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3128 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3128 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2040 wrote to memory of 4804 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\untraceable.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\untraceable.rar"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9259B45DD2D9CD3148B1ECC30147FE98 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1740F6B896AC73CA58127C101B74B471 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1740F6B896AC73CA58127C101B74B471 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C5FCEF82A11EB428211E8F5748DB129 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6A305811A6D96A5C91A395C1552311B --mojo-platform-channel-handle=1868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D4D29FB16F94797CD8E2751D96991AC0 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 11:14

Reported

2024-06-18 11:18

Platform

win10v2004-20240508-en

Max time kernel

205s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\untraceable.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Logs\waasmedic\WAASME~1.ETL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Logs\waasmedic\WAASME~2.ETL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Logs\waasmedic\WAASME~3.ETL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Logs\waasmedic\WAASME~4.ETL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Logs\waasmedic\WAACF5~1.ETL C:\Windows\system32\cmd.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2252 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 5104 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5104 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 744 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 744 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4848 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4848 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3216 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2060 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3592 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3592 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1836 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3436 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3828 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3212 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4500 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 2284 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2284 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4500 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3728 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3728 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4500 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3052 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4500 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2180 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4500 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\untraceable.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2044 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\untraceable.exe

"C:\Users\Admin\AppData\Local\Temp\untraceable.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicWebHelper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCU\SOFTWARE\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCR\com.epicgames.eos" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCR\com.epicgames.eos" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\EpicGames" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\EpicGames" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall reset > nul 2>&1

C:\Windows\system32\netsh.exe

netsh advfirewall reset

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Temp\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Temp\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Prefetch\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Temp\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.etl > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.log > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.tmp > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.old > nul 2>&1

C:\Users\Admin\AppData\Local\Temp\untraceable.exe

"C:\Users\Admin\AppData\Local\Temp\untraceable.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicWebHelper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCU\SOFTWARE\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCR\com.epicgames.eos" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCR\com.epicgames.eos" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\EpicGames" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\EpicGames" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall reset > nul 2>&1

C:\Windows\system32\netsh.exe

netsh advfirewall reset

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\Epic Games" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\All Users\Epic\EpicGamesLauncher\Data\EMS\current" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\UnrealEngine" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\ProgramData\Epic\EpicOnlineServices" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\ProgramData\Epic\EpicGamesLauncher\Data\EMS\current" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files (x86)\Epic Games\Epic Online Services\service" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\Shared Files" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files (x86)\Common Files\BattlEye" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files (x86)\EasyAntiCheat" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RMDIR /s /Q "%systemdrive%\$Recycle.bin" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c el /q "%systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\Temp\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\Temp\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\Temp\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\Temp\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\TEMP\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\TEMP\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\temp\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\temp\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Program Files (x86)\Temp\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Program Files (x86)\Temp\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\Logs\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\Logs\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\D3DSCache\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\D3DSCache\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\CrashReportClient\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\CrashReportClient\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\Prefetch\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\Prefetch\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\Recent\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\Recent\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\AMD\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\AMD\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\AMD_Common\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\AMD_Common\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds\*" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds\*") do @rd /s /q "%x" > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicWebHelper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCU\SOFTWARE\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKCR\com.epicgames.eos" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKCR\com.epicgames.eos" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\EpicGames" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\EpicGames" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f > nul 2>&1

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall reset > nul 2>&1

C:\Windows\system32\netsh.exe

netsh advfirewall reset

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Temp\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Temp\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Prefetch\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Temp\ > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.etl > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.log > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.tmp > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.old > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.bak > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.bac > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.bup > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.chk > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.dmp > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.temp > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicWebHelper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

Network

Files

N/A