Malware Analysis Report

2025-03-15 05:53

Sample ID 240629-lf9swaxgjn
Target cleaner hackvshack.net.exe
SHA256 2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c
Tags
vmprotect spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c

Threat Level: Shows suspicious behavior

The file cleaner hackvshack.net.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect spyware stealer

VMProtect packed file

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 09:29

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 09:29

Reported

2024-06-29 09:30

Platform

win10v2004-20240611-en

Max time kernel

21s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7DC5~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_usbfn.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA04F5~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC96D~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\MSIXPA~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NETFramework\corperfmonsymbols.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\rspndr.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\usbhub\0C0A\usbperf.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NETFramework\corperfmonsymbols.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmbug3.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\rdyboost\0407\ReadyBoostPerfCounters.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\scunknown.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\sti.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D49~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF97F~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netrass.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\UGatherer\0409\gsrvctr.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NETFramework\0411\corperfmonsymbols_d.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\TermService\0409\tslabels.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA65FE~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\net7800-x64-n650f.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netnb.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelOperationPerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2B9F~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAD0D7~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA55DC~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\SERVIC~1.0\0407\_ServiceModelEndpointPerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\WINDOW~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_linedisplay.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\hdaudbus.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netl260a.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\vsmraid.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmcomp.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmdgitn.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmlucnt.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA4D0B~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\040C\PerfCounters_d.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D65~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\SMSvcHost 4.0.0.0\_SMSvcHostPerfCounters.h C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\TermService\040C\tslabels.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA90D5~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmairte.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmarn.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\ehstorpwddrv.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\hidcfu.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmaus.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\vca.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_CNL.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\hidvhf.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\microsoft_bluetooth_a2dp_snk.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmkortx.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\secrecs.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\SERVIC~2.0\0407\_ServiceModelOperationPerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\ONECOR~1.MUM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\storufs.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\hpsamd.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netloop.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_d.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\BITS\0411\bitsctrs.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\defltwk.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\hidscanner.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wstorvsc.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\HELLOF~1.MUM C:\Windows\system32\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-1577313326715" C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-15773-13326-71520500" C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-15773-13326-71520500" C:\Windows\system32\reg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 015780205536763090238732186824851399612739 C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\ClsidStore = 157762407518579117951355817941321401692328996297552590525385 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer\Dependencies C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer\Dependencies\MSICache = 0157802055367630902387321868248513996127392360725757 C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1012 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 4784 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4784 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4936 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 2212 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2900 wrote to memory of 4212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 4656 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4656 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1216 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 332 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 332 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1560 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3088 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 5104 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5104 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4616 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe C:\Windows\system32\cmd.exe
PID 1940 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1940 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe

"C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0b

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im steam.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-15773-%random} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-1577313326715 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-1577313326715 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-15773-13326-71520500} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-15773-13326-71520500} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-15773-13326-71520500} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-15773-13326-71520500} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-15773-13326-71520500} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple15773-13326-715-205003244} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple15773-13326-715-205003244} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 15773 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 15773-13326-715-20500 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random%-%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 1577624075-18579-11795-13558-179413214016923 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple15776-24075-18579-11795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple15776 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 15776 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 15776 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple15776-24075-18579-11795} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f

C:\Windows\system32\reg.exe

REG delete HKCU\Software\Epic" "Games /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f

C:\Windows\system32\reg.exe

REG delete HKCU\Software\Epic Games /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f

C:\Windows\system32\reg.exe

REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f

C:\Windows\system32\reg.exe

REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 15776-24075-18579-1179513558 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f

C:\Windows\system32\reg.exe

reg delete HKCR\com.epicgames.launcher /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\MountedDevices /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\MountedDevices /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f

C:\Windows\system32\reg.exe

reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f

C:\Windows\system32\reg.exe

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f

C:\Windows\system32\reg.exe

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

C:\Windows\system32\reg.exe

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f

C:\Windows\system32\reg.exe

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 157762407518579117951355817941321401692328996297552590525385 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%%random%-%random%-%random%%random%-%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 1577624075-18579-1179513558-179413214016923 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Classes\Interface /v ClsidStore /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-15776-24075-1857911795 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 157802055367630902387321868248513996127392360725757 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1578020553676309023873218682485139961273923607 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 15780205536763090238732186824851399612739 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 15780205536763090238732186824851399612739 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 15780205536763090238732186824851399612739 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 1578020553676 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 1578020553676 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 1578020553676 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 1578020553676 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.15780.2055-3676_309023873 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {15780-2055-3676-3090} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Blizzard Entertainment\Battle.net /f

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Blizzard Entertainment\Battle.net /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKLM\Software\WOW6432Node\Blizzard Entertainment /f

C:\Windows\system32\reg.exe

reg delete HKLM\Software\WOW6432Node\Blizzard Entertainment /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\FortniteGame

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\EpicGames

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\EpicGamesLauncher

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

memory/3536-0-0x00007FF6670D2000-0x00007FF667457000-memory.dmp

memory/3536-3-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp

memory/3536-2-0x00007FFB5AEC0000-0x00007FFB5AEC2000-memory.dmp

memory/3536-1-0x00007FFB5AEB0000-0x00007FFB5AEB2000-memory.dmp

memory/3536-6-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp