Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 09:29
General
-
Target
cleaner hackvshack.net.exe
-
Size
6.1MB
-
MD5
4a1635b43bc46617b5a2e4916bfd2fa9
-
SHA1
3bb3b336391251d446775889b5da375336f6305b
-
SHA256
2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c
-
SHA512
f76ef411628ffdc37d769b0383317911c002dc5eac57e32e4cd5f6db8da7df5c38aa0c0a4d14d1af383bb58f2f264cf9b55a9e4002c784209ebabb5c6cd37ce2
-
SSDEEP
98304:ozmsCg59qryH9HVM+hPapWp4XNLHMLRXJGDxP0QlGNdtF8pJ:oSseyd1M+h8WpWLsLBJGvYdQ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3536-3-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp vmprotect behavioral1/memory/3536-6-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3536 cleaner hackvshack.net.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7DC5~1.MUM cmd.exe File opened for modification C:\Windows\INF\c_usbfn.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA04F5~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC96D~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\MSIXPA~1.MUM cmd.exe File opened for modification C:\Windows\INF\.NETFramework\corperfmonsymbols.ini cmd.exe File opened for modification C:\Windows\INF\rspndr.inf cmd.exe File opened for modification C:\Windows\INF\usbhub\0C0A\usbperf.ini cmd.exe File opened for modification C:\Windows\INF\.NETFramework\corperfmonsymbols.ini cmd.exe File opened for modification C:\Windows\INF\mdmbug3.inf cmd.exe File opened for modification C:\Windows\INF\rdyboost\0407\ReadyBoostPerfCounters.ini cmd.exe File opened for modification C:\Windows\INF\scunknown.inf cmd.exe File opened for modification C:\Windows\INF\sti.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D49~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF97F~1.MUM cmd.exe File opened for modification C:\Windows\INF\netrass.inf cmd.exe File opened for modification C:\Windows\INF\UGatherer\0409\gsrvctr.ini cmd.exe File opened for modification C:\Windows\INF\.NETFramework\0411\corperfmonsymbols_d.ini cmd.exe File opened for modification C:\Windows\INF\TermService\0409\tslabels.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA65FE~1.MUM cmd.exe File opened for modification C:\Windows\INF\net7800-x64-n650f.inf cmd.exe File opened for modification C:\Windows\INF\netnb.inf cmd.exe File opened for modification C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelOperationPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2B9F~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAD0D7~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA55DC~1.MUM cmd.exe File opened for modification C:\Windows\INF\SERVIC~1.0\0407\_ServiceModelEndpointPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\WINDOW~1.MUM cmd.exe File opened for modification C:\Windows\INF\c_linedisplay.inf cmd.exe File opened for modification C:\Windows\INF\hdaudbus.inf cmd.exe File opened for modification C:\Windows\INF\netl260a.inf cmd.exe File opened for modification C:\Windows\INF\vsmraid.inf cmd.exe File opened for modification C:\Windows\INF\mdmcomp.inf cmd.exe File opened for modification C:\Windows\INF\mdmdgitn.inf cmd.exe File opened for modification C:\Windows\INF\mdmlucnt.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA4D0B~1.MUM cmd.exe File opened for modification C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\040C\PerfCounters_d.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D65~1.MUM cmd.exe File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.ini cmd.exe File opened for modification C:\Windows\INF\SMSvcHost 4.0.0.0\_SMSvcHostPerfCounters.h cmd.exe File opened for modification C:\Windows\INF\TermService\040C\tslabels.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA90D5~1.MUM cmd.exe File opened for modification C:\Windows\INF\mdmairte.inf cmd.exe File opened for modification C:\Windows\INF\mdmarn.inf cmd.exe File opened for modification C:\Windows\INF\ehstorpwddrv.inf cmd.exe File opened for modification C:\Windows\INF\hidcfu.inf cmd.exe File opened for modification C:\Windows\INF\mdmaus.inf cmd.exe File opened for modification C:\Windows\INF\vca.inf cmd.exe File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_CNL.inf cmd.exe File opened for modification C:\Windows\INF\hidvhf.inf cmd.exe File opened for modification C:\Windows\INF\microsoft_bluetooth_a2dp_snk.inf cmd.exe File opened for modification C:\Windows\INF\mdmkortx.inf cmd.exe File opened for modification C:\Windows\INF\secrecs.inf cmd.exe File opened for modification C:\Windows\INF\SERVIC~2.0\0407\_ServiceModelOperationPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\ONECOR~1.MUM cmd.exe File opened for modification C:\Windows\INF\storufs.inf cmd.exe File opened for modification C:\Windows\INF\hpsamd.inf cmd.exe File opened for modification C:\Windows\INF\netloop.inf cmd.exe File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_d.ini cmd.exe File opened for modification C:\Windows\INF\BITS\0411\bitsctrs.ini cmd.exe File opened for modification C:\Windows\INF\defltwk.inf cmd.exe File opened for modification C:\Windows\INF\hidscanner.inf cmd.exe File opened for modification C:\Windows\INF\wstorvsc.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\HELLOF~1.MUM cmd.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-1577313326715" reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier reg.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 reg.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-15773-13326-71520500" reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-15773-13326-71520500" reg.exe -
Kills process with taskkill 14 IoCs
pid Process 5052 taskkill.exe 316 taskkill.exe 1544 taskkill.exe 4212 taskkill.exe 1080 taskkill.exe 3004 taskkill.exe 2992 taskkill.exe 4752 taskkill.exe 4972 taskkill.exe 4324 taskkill.exe 1348 taskkill.exe 4228 taskkill.exe 740 taskkill.exe 1848 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 015780205536763090238732186824851399612739 reg.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\ClsidStore = 157762407518579117951355817941321401692328996297552590525385 reg.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer\Dependencies reg.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer\Dependencies\MSICache = 0157802055367630902387321868248513996127392360725757 reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3960 reg.exe 4392 reg.exe 3740 reg.exe 4336 reg.exe 2764 reg.exe 2472 reg.exe 2328 reg.exe 4040 reg.exe 2296 reg.exe 4920 reg.exe 3300 reg.exe 3248 reg.exe 1096 reg.exe 5024 reg.exe 4512 reg.exe 1868 reg.exe 1560 reg.exe 2992 reg.exe 1868 reg.exe 3828 reg.exe 4676 reg.exe 4632 reg.exe 3568 reg.exe 3828 reg.exe 4392 reg.exe 5040 reg.exe 3592 reg.exe 4704 reg.exe 644 reg.exe 5068 reg.exe 4120 reg.exe 4116 reg.exe 3592 reg.exe 3540 reg.exe 3036 reg.exe 4636 reg.exe 220 reg.exe 4120 reg.exe 1196 reg.exe 2812 reg.exe 3408 reg.exe 4932 reg.exe 2004 reg.exe 4060 reg.exe 4476 reg.exe 4696 reg.exe 988 reg.exe 3560 reg.exe 4880 reg.exe 4964 reg.exe 3552 reg.exe 1940 reg.exe 3260 reg.exe 2904 reg.exe 924 reg.exe 3944 reg.exe 2296 reg.exe 1012 reg.exe 1080 reg.exe 4352 reg.exe 5096 reg.exe 5100 reg.exe 1884 reg.exe 4440 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3536 cleaner hackvshack.net.exe 3536 cleaner hackvshack.net.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 4752 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 4212 taskkill.exe Token: SeDebugPrivilege 1348 taskkill.exe Token: SeDebugPrivilege 1080 taskkill.exe Token: SeDebugPrivilege 4228 taskkill.exe Token: SeDebugPrivilege 5052 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 4324 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4540 3536 cleaner hackvshack.net.exe 86 PID 3536 wrote to memory of 4540 3536 cleaner hackvshack.net.exe 86 PID 3536 wrote to memory of 2984 3536 cleaner hackvshack.net.exe 94 PID 3536 wrote to memory of 2984 3536 cleaner hackvshack.net.exe 94 PID 3536 wrote to memory of 4388 3536 cleaner hackvshack.net.exe 95 PID 3536 wrote to memory of 4388 3536 cleaner hackvshack.net.exe 95 PID 3536 wrote to memory of 1600 3536 cleaner hackvshack.net.exe 96 PID 3536 wrote to memory of 1600 3536 cleaner hackvshack.net.exe 96 PID 3536 wrote to memory of 1012 3536 cleaner hackvshack.net.exe 97 PID 3536 wrote to memory of 1012 3536 cleaner hackvshack.net.exe 97 PID 1012 wrote to memory of 1544 1012 cmd.exe 98 PID 1012 wrote to memory of 1544 1012 cmd.exe 98 PID 3536 wrote to memory of 4784 3536 cleaner hackvshack.net.exe 99 PID 3536 wrote to memory of 4784 3536 cleaner hackvshack.net.exe 99 PID 4784 wrote to memory of 2992 4784 cmd.exe 100 PID 4784 wrote to memory of 2992 4784 cmd.exe 100 PID 3536 wrote to memory of 4936 3536 cleaner hackvshack.net.exe 101 PID 3536 wrote to memory of 4936 3536 cleaner hackvshack.net.exe 101 PID 4936 wrote to memory of 4752 4936 cmd.exe 102 PID 4936 wrote to memory of 4752 4936 cmd.exe 102 PID 3536 wrote to memory of 2212 3536 cleaner hackvshack.net.exe 103 PID 3536 wrote to memory of 2212 3536 cleaner hackvshack.net.exe 103 PID 2212 wrote to memory of 4972 2212 cmd.exe 104 PID 2212 wrote to memory of 4972 2212 cmd.exe 104 PID 3536 wrote to memory of 2900 3536 cleaner hackvshack.net.exe 105 PID 3536 wrote to memory of 2900 3536 cleaner hackvshack.net.exe 105 PID 2900 wrote to memory of 4212 2900 cmd.exe 106 PID 2900 wrote to memory of 4212 2900 cmd.exe 106 PID 3536 wrote to memory of 4656 3536 cleaner hackvshack.net.exe 107 PID 3536 wrote to memory of 4656 3536 cleaner hackvshack.net.exe 107 PID 4656 wrote to memory of 1348 4656 cmd.exe 108 PID 4656 wrote to memory of 1348 4656 cmd.exe 108 PID 3536 wrote to memory of 1216 3536 cleaner hackvshack.net.exe 109 PID 3536 wrote to memory of 1216 3536 cleaner hackvshack.net.exe 109 PID 1216 wrote to memory of 1080 1216 cmd.exe 110 PID 1216 wrote to memory of 1080 1216 cmd.exe 110 PID 3536 wrote to memory of 332 3536 cleaner hackvshack.net.exe 111 PID 3536 wrote to memory of 332 3536 cleaner hackvshack.net.exe 111 PID 332 wrote to memory of 4228 332 cmd.exe 112 PID 332 wrote to memory of 4228 332 cmd.exe 112 PID 3536 wrote to memory of 1560 3536 cleaner hackvshack.net.exe 113 PID 3536 wrote to memory of 1560 3536 cleaner hackvshack.net.exe 113 PID 1560 wrote to memory of 5052 1560 cmd.exe 114 PID 1560 wrote to memory of 5052 1560 cmd.exe 114 PID 3536 wrote to memory of 3088 3536 cleaner hackvshack.net.exe 115 PID 3536 wrote to memory of 3088 3536 cleaner hackvshack.net.exe 115 PID 3088 wrote to memory of 740 3088 cmd.exe 116 PID 3088 wrote to memory of 740 3088 cmd.exe 116 PID 3536 wrote to memory of 5104 3536 cleaner hackvshack.net.exe 117 PID 3536 wrote to memory of 5104 3536 cleaner hackvshack.net.exe 117 PID 5104 wrote to memory of 1848 5104 cmd.exe 118 PID 5104 wrote to memory of 1848 5104 cmd.exe 118 PID 3536 wrote to memory of 1392 3536 cleaner hackvshack.net.exe 119 PID 3536 wrote to memory of 1392 3536 cleaner hackvshack.net.exe 119 PID 1392 wrote to memory of 3004 1392 cmd.exe 120 PID 1392 wrote to memory of 3004 1392 cmd.exe 120 PID 3536 wrote to memory of 4616 3536 cleaner hackvshack.net.exe 121 PID 3536 wrote to memory of 4616 3536 cleaner hackvshack.net.exe 121 PID 4616 wrote to memory of 316 4616 cmd.exe 122 PID 4616 wrote to memory of 316 4616 cmd.exe 122 PID 3536 wrote to memory of 1940 3536 cleaner hackvshack.net.exe 123 PID 3536 wrote to memory of 1940 3536 cleaner hackvshack.net.exe 123 PID 1940 wrote to memory of 4324 1940 cmd.exe 124 PID 1940 wrote to memory of 4324 1940 cmd.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe"C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0b2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f2⤵PID:684
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f3⤵
- Modifies registry key
PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f2⤵PID:3616
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f3⤵
- Modifies registry key
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f2⤵PID:2736
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f3⤵
- Modifies registry key
PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f2⤵PID:2780
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-15773 /f3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f2⤵PID:3332
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-15773 /f3⤵
- Modifies registry key
PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f2⤵PID:1976
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-15773-%random} /f3⤵
- Modifies registry key
PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f2⤵PID:3856
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-1577313326715 /f3⤵
- Modifies registry key
PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f2⤵PID:4660
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-15773 /f3⤵
- Modifies registry key
PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f2⤵PID:1480
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-15773 /f3⤵
- Modifies registry key
PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f2⤵PID:2932
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-1577313326715 /f3⤵
- Enumerates system info in registry
- Modifies registry key
PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f2⤵PID:1468
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-15773-13326-71520500} /f3⤵PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f2⤵PID:1028
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-15773-13326-71520500} /f3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f2⤵PID:1384
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-15773-13326-71520500} /f3⤵
- Modifies registry key
PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4000
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:3196
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵
- Modifies registry key
PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4388
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:1656
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:3736
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵
- Modifies registry key
PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4856
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵
- Enumerates system info in registry
PID:2452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:1864
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f3⤵
- Enumerates system info in registry
- Modifies registry key
PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f2⤵PID:4012
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-15773-13326-71520500} /f3⤵
- Modifies registry key
PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f2⤵PID:4744
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-15773-13326-71520500} /f3⤵
- Modifies registry key
PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f2⤵PID:1788
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 15773 /f3⤵
- Modifies registry key
PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&12⤵PID:1672
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple15773-13326-715-205003244} /f3⤵
- Modifies registry key
PID:3248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f2⤵PID:4536
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple15773-13326-715-205003244} /f3⤵PID:628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f2⤵PID:1184
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 15773 /f3⤵
- Modifies registry key
PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f2⤵PID:2120
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 15773 /f3⤵
- Modifies registry key
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f2⤵PID:2412
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 15773 /f3⤵PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f2⤵PID:4268
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 15773-13326-715-20500 /f3⤵
- Modifies registry key
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random%-%random%%random%%random% /f2⤵PID:1784
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 1577624075-18579-11795-13558-179413214016923 /f3⤵
- Modifies registry key
PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f2⤵PID:2712
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple15776-24075-18579-11795 /f3⤵
- Modifies registry key
PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f2⤵PID:4324
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple15776 /f3⤵
- Modifies registry key
PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f2⤵PID:1252
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 15776 /f3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f2⤵PID:4008
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 15776 /f3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f2⤵PID:1492
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple15776-24075-18579-11795} /f3⤵
- Modifies registry key
PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f2⤵PID:1988
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games /f3⤵
- Modifies registry key
PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f2⤵PID:5056
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic Games /f3⤵
- Modifies registry key
PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f2⤵PID:4208
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f3⤵
- Modifies registry key
PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f2⤵PID:2384
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f3⤵
- Modifies registry key
PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f2⤵PID:3556
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 15776-24075-18579-1179513558 /f3⤵
- Modifies registry key
PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f2⤵PID:2316
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f3⤵
- Modifies registry key
PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f2⤵PID:4152
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f3⤵
- Modifies registry key
PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f2⤵PID:4840
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f3⤵
- Modifies registry key
PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f2⤵PID:3220
-
C:\Windows\system32\reg.exereg delete HKCR\com.epicgames.launcher /f3⤵PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f2⤵PID:4480
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f2⤵PID:4928
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f2⤵PID:1860
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f2⤵PID:3912
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵
- Modifies registry key
PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f2⤵PID:880
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f2⤵PID:2420
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f3⤵
- Modifies registry key
PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4784
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4288
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f2⤵PID:2656
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f3⤵
- Modifies registry key
PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4024
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:4196
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:3744
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f2⤵PID:5016
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f3⤵
- Modifies registry key
PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f2⤵PID:764
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵
- Modifies registry key
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f2⤵PID:3088
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵
- Modifies registry key
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f2⤵PID:3880
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵
- Modifies registry key
PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f2⤵PID:3004
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵
- Modifies registry key
PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f2⤵PID:3712
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f3⤵
- Modifies registry key
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:2320
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 157762407518579117951355817941321401692328996297552590525385 /f3⤵
- Modifies registry class
- Modifies registry key
PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:3996
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:684
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%%random%-%random%-%random%%random%-%random%%random%%random% /f2⤵PID:1188
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 1577624075-18579-1179513558-179413214016923 /f3⤵
- Modifies registry key
PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f2⤵PID:2736
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Classes\Interface /v ClsidStore /f3⤵
- Modifies registry key
PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:1972
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵
- Modifies registry key
PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f2⤵PID:5112
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-15776-24075-1857911795 /f3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:4412
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:3212
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 157802055367630902387321868248513996127392360725757 /f3⤵
- Modifies registry class
- Modifies registry key
PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:2488
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1578020553676309023873218682485139961273923607 /f3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:4048
-
C:\Windows\system32\reg.exeREG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f3⤵PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:3680
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 15780205536763090238732186824851399612739 /f3⤵
- Modifies Internet Explorer settings
- Modifies registry key
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:1488
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 15780205536763090238732186824851399612739 /f3⤵
- Modifies registry key
PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:2680
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 15780205536763090238732186824851399612739 /f3⤵
- Modifies registry key
PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f2⤵PID:1384
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 1578020553676 /f3⤵
- Modifies registry key
PID:988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f2⤵PID:2392
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 1578020553676 /f3⤵
- Modifies registry key
PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f2⤵PID:2984
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 1578020553676 /f3⤵
- Modifies registry key
PID:924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f2⤵PID:5028
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 1578020553676 /f3⤵
- Modifies registry key
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵PID:4232
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f3⤵
- Modifies registry key
PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f2⤵PID:2292
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.15780.2055-3676_309023873 /f3⤵PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f2⤵PID:4936
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {15780-2055-3676-3090} /f3⤵
- Modifies registry key
PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f2⤵PID:4216
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f3⤵
- Modifies registry key
PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Blizzard Entertainment\Battle.net /f2⤵PID:1952
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Blizzard Entertainment\Battle.net /f3⤵
- Modifies registry key
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\Software\WOW6432Node\Blizzard Entertainment /f2⤵PID:848
-
C:\Windows\system32\reg.exereg delete HKLM\Software\WOW6432Node\Blizzard Entertainment /f3⤵
- Modifies registry key
PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\FortniteGame2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\EpicGames2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\EpicGamesLauncher2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin2⤵PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin2⤵PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin2⤵PID:3088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache2⤵
- Drops file in Windows directory
PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore2⤵PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF2⤵
- Drops file in Windows directory
PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch2⤵PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient2⤵PID:684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp2⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings2⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore2⤵PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved2⤵PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF2⤵
- Drops file in Windows directory
PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents2⤵PID:924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache2⤵PID:2992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp2⤵PID:3944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs2⤵PID:4060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*2⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*2⤵PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC2⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache2⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir2⤵PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache2⤵PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies2⤵PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory2⤵PID:2412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache2⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache2⤵PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE2⤵PID:1784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache02⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v32⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache2⤵PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.02⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.02⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache2⤵PID:2296
-