hxxps://gofile[.]io/d/e4Vtkf

Analysis

max time kernel
162s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/e4Vtkf

Score

10^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
116	Process not Found
1840	Process not Found

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WEBCAC~1.DAT	cmd.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WEBCAC~1.DAT	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\DIAGTR~1.005	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\MICROS~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\OFFICE~1.DB	cmd.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\OFFICE~2.DB-	cmd.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\OFFICE~1.DB-	cmd.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	cmd.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WEBCAC~1.JFM	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\LWTNET~1.ETL	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\netl260a.inf	cmd.exe
File opened for modification	C:\Windows\INF\compositebus.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsactivitymonitor.inf	cmd.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_CNL.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmati.inf	cmd.exe
File opened for modification	C:\Windows\INF\netl160a.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0410\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmkortx.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbser.inf	cmd.exe
File opened for modification	C:\Windows\INF\vdrvroot.inf	cmd.exe
File opened for modification	C:\Windows\INF\msdri.inf	cmd.exe
File opened for modification	C:\Windows\INF\wvmbus.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\c_keyboard.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidspi_km.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmeric2.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\idxcntrs.h	cmd.exe
File opened for modification	C:\Windows\INF\c_multiportserial.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmoto1.inf	cmd.exe
File opened for modification	C:\Windows\INF\ntprint4.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\040C\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_fsantivirus.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_smartcard.inf	cmd.exe
File opened for modification	C:\Windows\INF\displayoverride.inf	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DATAST~1.EDB	cmd.exe
File opened for modification	C:\Windows\INF\ialpssi_i2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmtexas.inf	cmd.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_hfp_hf.inf	cmd.exe
File opened for modification	C:\Windows\INF\adp80xx.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_legacydriver.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_netclient.inf	cmd.exe
File opened for modification	C:\Windows\INF\urssynopsys.inf	cmd.exe
File opened for modification	C:\Windows\INF\acpipmi.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_smrvolume.inf	cmd.exe
File opened for modification	C:\Windows\INF\TermService\0411\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\ykinx64.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0411\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGatherer\0C0A\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\hidi2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\ndisimplatform.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvf63a.inf	cmd.exe
File opened for modification	C:\Windows\INF\qd3x64.inf	cmd.exe
File opened for modification	C:\Windows\INF\cmbatt.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidir.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_cashdrawer.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmotou.inf	cmd.exe
File opened for modification	C:\Windows\INF\mrvlpcie8897.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrndis.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0410\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmhay2.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmhrtz.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmtdkj5.inf	cmd.exe
File opened for modification	C:\Windows\INF\netloop.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_net.inf	cmd.exe
File opened for modification	C:\Windows\INF\mwlu97w8x64.inf	cmd.exe
File opened for modification	C:\Windows\INF\dshowext.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmbtmdm.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmzyxlg.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmnttp.inf	cmd.exe
File opened for modification	C:\Windows\INF\net7800-x64-n650f.inf	cmd.exe
File opened for modification	C:\Windows\INF\netk57a.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\0C0A\_Networkingperfcounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\61883.inf	cmd.exe
File opened for modification	C:\Windows\INF\ipmidrv.inf	cmd.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
744	Process not Found
4632	Process not Found
3260	Process not Found
4892	Process not Found
744	Process not Found
1548	Process not Found
4032	Process not Found
1332	Process not Found
4916	Process not Found
5384	Process not Found
4084	Process not Found
536	Process not Found
2476	Process not Found
2792	Process not Found
4220	Process not Found
5668	Process not Found
5760	Process not Found
5652	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4940	reg.exe
3152	reg.exe
5108	reg.exe
2440	reg.exe
4728	reg.exe
5084	reg.exe
5684	reg.exe
5380	reg.exe
536	reg.exe
2792	Process not Found
4916	Process not Found
3584	reg.exe
4104	reg.exe
1804	reg.exe
1644	reg.exe
5892	reg.exe
4288	reg.exe
4892	Process not Found
3260	Process not Found
5384	Process not Found
6008	reg.exe
2884	reg.exe
1012	reg.exe
3868	reg.exe
2572	reg.exe
3516	reg.exe
1684	reg.exe
5072	reg.exe
2052	reg.exe
4032	Process not Found

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "Neutron-8957"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "/ve"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "Neutron-20300"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "Neutron-23268"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "Neutron-2095"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "Neutron-22901"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "/ve"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "Neutron-27883"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "Neutron-19814"	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "Neutron-1963166334489"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "Neutron-28229960814953"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "Neutron-28672"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "Neutron-303182646827845"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "Neutron-27539"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "Neutron-2360255598425"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "Neutron-10013"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Neutron-22322"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "/ve"	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2052	Process not Found
3692	Process not Found
2616	Process not Found
5572	Process not Found
1912	Process not Found

Kills process with taskkill 64 IoCs

evasion

pid	Process
6096	taskkill.exe
5860	Process not Found
4032	Process not Found
5896	Process not Found
5792	Process not Found
3532	Process not Found
2100	Process not Found
4940	Process not Found
2304	Process not Found
60	Process not Found
5772	taskkill.exe
5608	taskkill.exe
5960	Process not Found
5552	Process not Found
5084	Process not Found
4104	Process not Found
2792	Process not Found
60	Process not Found
3492	Process not Found
1924	Process not Found
5628	taskkill.exe
3320	taskkill.exe
1184	Process not Found
5300	Process not Found
1556	Process not Found
884	Process not Found
2276	Process not Found
6040	taskkill.exe
5336	Process not Found
6096	Process not Found
1332	Process not Found
3272	Process not Found
6084	taskkill.exe
1564	Process not Found
1692	Process not Found
4060	Process not Found
1328	taskkill.exe
1836	Process not Found
5988	Process not Found
5228	taskkill.exe
2476	Process not Found
2444	Process not Found
5988	Process not Found
2488	Process not Found
5892	Process not Found
2928	Process not Found
5592	Process not Found
1492	taskkill.exe
4900	Process not Found
3776	Process not Found
1592	Process not Found
5456	Process not Found
5624	Process not Found
5640	taskkill.exe
5652	Process not Found
3272	Process not Found
5880	Process not Found
5724	Process not Found
1400	Process not Found
5896	Process not Found
5848	Process not Found
5616	taskkill.exe
5696	taskkill.exe
5552	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Process not Found

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\12	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0\0	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8\0	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8\0	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\12	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0\0	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	Process not Found

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5708	Process not Found
5752	Process not Found
5472	reg.exe
5684	Process not Found
6124	reg.exe
2304	Process not Found
4692	reg.exe
4272	reg.exe
2036	Process not Found
3244	Process not Found
972	reg.exe
3676	reg.exe
5320	reg.exe
408	Process not Found
2080	reg.exe
5540	reg.exe
5384	Process not Found
4872	reg.exe
1556	Process not Found
2132	reg.exe
6044	reg.exe
6136	reg.exe
4224	Process not Found
3220	reg.exe
5264	Process not Found
4264	reg.exe
1564	Process not Found
1604	reg.exe
5808	reg.exe
376	reg.exe
3608	reg.exe
6112	reg.exe
2420	reg.exe
6140	reg.exe
224	Process not Found
920	Process not Found
5052	reg.exe
4884	reg.exe
5024	reg.exe
4952	reg.exe
5156	reg.exe
3080	Process not Found
5780	reg.exe
4032	reg.exe
5592	Process not Found
3808	Process not Found
2120	reg.exe
2108	reg.exe
6100	reg.exe
2052	reg.exe
64	Process not Found
1704	Process not Found
5464	reg.exe
5512	reg.exe
6100	reg.exe
1320	reg.exe
3100	Process not Found
2224	Process not Found
1648	Process not Found
972	reg.exe
2692	Process not Found
5736	Process not Found
6056	reg.exe
5420	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1044	msedge.exe
1044	msedge.exe
2424	msedge.exe
2424	msedge.exe
3248	identity_helper.exe
3248	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	6052	7zG.exe
Token: 35	6052	7zG.exe
Token: SeSecurityPrivilege	6052	7zG.exe
Token: SeSecurityPrivilege	6052	7zG.exe
Token: SeRestorePrivilege	2080	7zG.exe
Token: 35	2080	7zG.exe
Token: SeSecurityPrivilege	2080	7zG.exe
Token: SeSecurityPrivilege	2080	7zG.exe
Token: SeDebugPrivilege	5616	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	5988	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	5640	taskkill.exe
Token: SeDebugPrivilege	5756	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeDebugPrivilege	6040	taskkill.exe
Token: SeDebugPrivilege	5616	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	5772	taskkill.exe
Token: SeDebugPrivilege	5752	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	5608	taskkill.exe
Token: SeDebugPrivilege	5628	taskkill.exe
Token: SeDebugPrivilege	6084	taskkill.exe
Token: SeDebugPrivilege	5564	taskkill.exe
Token: SeDebugPrivilege	5552	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	5640	taskkill.exe
Token: SeDebugPrivilege	5228	taskkill.exe
Token: SeDebugPrivilege	6056	taskkill.exe
Token: SeDebugPrivilege	4900	Process not Found
Token: SeDebugPrivilege	6072	Process not Found
Token: SeDebugPrivilege	5336	Process not Found
Token: SeDebugPrivilege	4084	Process not Found
Token: SeDebugPrivilege	3532	Process not Found
Token: SeDebugPrivilege	5696	Process not Found
Token: SeDebugPrivilege	5892	Process not Found
Token: SeDebugPrivilege	3684	Process not Found
Token: SeDebugPrivilege	2100	Process not Found
Token: SeDebugPrivilege	5960	Process not Found
Token: SeDebugPrivilege	1184	Process not Found
Token: SeDebugPrivilege	2488	Process not Found
Token: SeDebugPrivilege	5340	Process not Found
Token: SeDebugPrivilege	3664	Process not Found
Token: SeDebugPrivilege	2444	Process not Found
Token: SeDebugPrivilege	1564	Process not Found
Token: SeDebugPrivilege	5652	Process not Found
Token: SeDebugPrivilege	1400	Process not Found
Token: SeDebugPrivilege	4940	Process not Found
Token: SeDebugPrivilege	4104	Process not Found
Token: SeDebugPrivilege	2792	Process not Found
Token: SeDebugPrivilege	3584	Process not Found
Token: SeDebugPrivilege	6096	Process not Found
Token: SeDebugPrivilege	4612	Process not Found
Token: SeDebugPrivilege	5716	Process not Found
Token: SeDebugPrivilege	2476	Process not Found

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
6052	7zG.exe
2080	7zG.exe
5856	Process not Found

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2252	2424	msedge.exe	84
PID 2424 wrote to memory of 2252	2424	msedge.exe	84
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 2372	2424	msedge.exe	85
PID 2424 wrote to memory of 1044	2424	msedge.exe	86
PID 2424 wrote to memory of 1044	2424	msedge.exe	86
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87
PID 2424 wrote to memory of 3956	2424	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/e4Vtkf
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce0eb46f8,0x7ffce0eb4708,0x7ffce0eb4718
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,7382881738892211835,11051057309818351659,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5000 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap32543:120:7zEvent16408
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6052

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2254:116:7zEvent13241
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\3.bat" "
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
PID:4892
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5616
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5988
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher\Saved\Logs\*.* "
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher\Saved\webcache\Service Worker\CacheStorage\*.* "
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher\Saved\webcache\GPUCache\*.* "
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\Config\WindowsClient\*.* "
  2⤵
  PID:6072
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir\*.* "
  2⤵
  PID:6084
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\LMS\*.* "
  2⤵
  PID:6100
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\Cloud\*.* "
  2⤵
  PID:6116
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\discord-432980957394370572\DefaultIcon" /ve /f
  2⤵
  PID:6132
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\discord-432980957394370572\shell\open\command" /ve /f
  2⤵
  PID:5164
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder" /v "24" /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder" /f
  2⤵
  PID:2228
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\DefaultIcon" /ve /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\DefaultIcon" /f
  2⤵
  - Modifies registry class
  PID:5196
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\shell\open\command" /ve /f
  2⤵
  PID:6076
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\shell\open\command" /f
  2⤵
  - Modifies registry class
  PID:6052
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0" /v "12" /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\12" /v "0" /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\12" /f
  2⤵
  - Modifies registry class
  PID:368
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0" /v "0" /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0\0" /v "1" /f
  2⤵
  PID:216
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0\0" /f
  2⤵
  - Modifies registry class
  PID:2036
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3" /v "7" /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3" /v "8" /f
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8" /v "0" /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8\0" /v "0" /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8\0" /f
  2⤵
  - Modifies registry class
  PID:3268
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0" /v "0" /f
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0" /v "0" /f
  2⤵
  PID:4916
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0" /f
  2⤵
  - Modifies registry class
  PID:3872
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:5852
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
  2⤵
  PID:5700
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
  2⤵
  PID:5784
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  - Enumerates system info in registry
  PID:5796
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  - Enumerates system info in registry
  PID:4796
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  - Enumerates system info in registry
  PID:5468
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:5484
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:5428
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:5828
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:5508
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:5532
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:900
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:5480
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:3208
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:6008
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:3272
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:1012
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:5792
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:5556
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:5684
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:5580
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:452
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:456
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:5548
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:5728
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:5744
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:5756
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:636
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d Neutron-241613563735 /f
  2⤵
  - Enumerates system info in registry
  PID:5856
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d Neutron-2360255598425 /f
  2⤵
  - Enumerates system info in registry
  PID:5692
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d Neutron-15764317065222 /f
  2⤵
  - Enumerates system info in registry
  PID:5628
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d Neutron-24602201326403 /f
  2⤵
  PID:1900
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d Neutron-59172652611871 /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d Neutron-100471316020478 /f
  2⤵
  PID:1456
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d Neutron-1724357117194 /f
  2⤵
  PID:5916
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d Neutron-70122503615680 /f
  2⤵
  PID:440
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d Neutron-28273190625768 /f
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d Neutron-19754279243957 /f
  2⤵
  PID:5220
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d Neutron-13992613810617 /f
  2⤵
  PID:6012
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d Neutron-261232683721472 /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d Neutron-8629403629089 /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d Neutron-286372095632054 /f
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d Neutron-43101430429741 /f
  2⤵
  PID:5964
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d Neutron-25971122371072 /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d Neutron-74342384576 /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d Neutron-30729316711099 /f
  2⤵
  PID:6072
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d Neutron-2691350023406 /f
  2⤵
  PID:6084
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d Neutron-216790377375 /f
  2⤵
  PID:6100
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d Neutron-1777529320763 /f
  2⤵
  PID:6116
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d Neutron-93061492229638 /f
  2⤵
  PID:6140
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d Neutron-228091042323626 /f
  2⤵
  PID:5164
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d Neutron-14011293377519 /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d Neutron-534256703688 /f
  2⤵
  PID:2228
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d Neutron-22750118068934 /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d Neutron-285761182521108 /f
  2⤵
  PID:5196
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d Neutron-69652457413682 /f
  2⤵
  PID:6076
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d Neutron-1758965113974 /f
  2⤵
  PID:6052
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d Neutron-1975258971477 /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d Neutron-140212923932704 /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d Neutron-220142340025774 /f
  2⤵
  PID:368
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d Neutron-9853246025163 /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d Neutron-79392809410070 /f
  2⤵
  PID:216
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d Neutron-112372512811196 /f
  2⤵
  PID:2036
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d Neutron-85331721810307 /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d Neutron-24600282888768 /f
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d Neutron-102511477518684 /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d Neutron-15341010011984 /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d Neutron-138112651424974 /f
  2⤵
  PID:3268
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d Neutron-233631499727898 /f
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d Neutron-938644525181 /f
  2⤵
  PID:4916
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d Neutron-2619714721977 /f
  2⤵
  PID:3872
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d Neutron-31382 /f
  2⤵
  - Modifies registry key
  PID:2120
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Neutron-11092 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:4264
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d Neutron-25101 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:3220
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d Neutron-29753 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:5780
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d Neutron-10013 /f
  2⤵
  - Enumerates system info in registry
  PID:2756
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d Neutron-27883 /f
  2⤵
  - Enumerates system info in registry
  PID:3196
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d Neutron-28672 /f
  2⤵
  - Enumerates system info in registry
  PID:4972
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d Neutron-22901 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:5420
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d Neutron-13416 /f
  2⤵
  - Modifies registry key
  PID:5472
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d Neutron-20300 /f
  2⤵
  - Enumerates system info in registry
  PID:5500
- C:\Windows\system32\reg.exe
  REG ADD "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power-cleaned.exe.ApplicationCompany" /t REG_SZ /d "Neutron-26199" /f
  2⤵
  - Modifies registry class
  PID:5516
- C:\Windows\system32\reg.exe
  REG ADD "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power.exe.ApplicationCompany" /t REG_SZ /d "Neutron-26946" /f
  2⤵
  - Modifies registry class
  PID:2504
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power-cleaned.exe.ApplicationCompany" /t REG_SZ /d "Neutron-19143" /f
  2⤵
  - Modifies registry class
  PID:2800
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power.exe.ApplicationCompany" /t REG_SZ /d "Neutron-24597" /f
  2⤵
  - Modifies registry class
  PID:1292
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion" /v "RegisteredOrganization" /t REG_SZ /d "Neutron-18566" /f
  2⤵
  PID:5460
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters" /v "HostName" /t REG_SZ /d "Neutron-21591" /f
  2⤵
  PID:5452
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters" /v "NV HostName" /t REG_SZ /d "Neutron-26346" /f
  2⤵
  PID:5380
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC}" /v "Hostname" /t REG_SZ /d "Neutron-15560" /f
  2⤵
  PID:5584
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB}" /v "Hostname" /t REG_SZ /d "Neutron-17240" /f
  2⤵
  PID:5872
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD}" /v "Hostname" /t REG_SZ /d "Neutron-17501" /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "HostName" /t REG_SZ /d "Neutron-15268" /f
  2⤵
  PID:5320
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NV HostName" /t REG_SZ /d "Neutron-32125" /f
  2⤵
  PID:5932
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC}" /v "Hostname" /t REG_SZ /d "Neutron-15576" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB}" /v "Hostname" /t REG_SZ /d "Neutron-15429" /f
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD}" /v "Hostname" /t REG_SZ /d "Neutron-24814" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:4728
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
  2⤵
  PID:4008
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f"
  2⤵
  PID:5564
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {----80} /f
  2⤵
  PID:5552
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ----80 /f
  2⤵
  PID:5576
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {14291-7026-21214-29743} /f
  2⤵
  - Modifies registry key
  PID:4032
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin11820} /f
  2⤵
  - Modifies registry key
  PID:972
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2134-31655-3515-32538 /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:2792
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop12573 /f
  2⤵
  - Modifies registry key
  PID:2420
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName\ /v ComputerName /t REG_SZ /d Neutron-20962 /f
  2⤵
  - Modifies registry key
  PID:3608
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ /v Hostname /t REG_SZ /d Neutron-12185 /f
  2⤵
  PID:5728
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ /v "NV Hostname" /t REG_SZ /d Neutron-26900 /f
  2⤵
  - Modifies registry key
  PID:2080
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v
  2⤵
  PID:5744
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5756
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5624
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1300
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:5968
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5908
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5144
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ---- /f
  2⤵
  PID:5616
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ---- /f
  2⤵
  PID:1592
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
  2⤵
  PID:5964
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:6072
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:6084
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:6100
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:6116
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:6140
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:5164
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2228
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:5196
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:6076
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:6052
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:368
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:216
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:3268
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:4916
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:3872
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:5780
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:3196
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
  2⤵
  PID:5420
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:5472
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
  2⤵
  PID:5508
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\CapSids: 0A 00 00 00 01 02 00 00 00 00 00 0F 03 00 00 00 01 00 00 00 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E8 41 FE 65 15 CB 86 8E 43 2C E1 30 42 2A B3 51 4E 9C 0E 17 B4 1B 89 09 98 DA 44 8D 13 6A 0C B3 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E4 29 72 AE 52 A9 2E 19 C4 FB 6C 51 9E 00 25 50 5B 64 A6 6F A4 D2 D0 57 D2 DB D7 37 F2 B0 85 AC 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0B 44 35 CF 44 6C 30 B5 4C 90 DA 15 DB 4C 09 94 5A 08 A5 69 F0 DC C5 65 02 4A 7B B9 A8 2C DA C2 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 3C DA 35 57 2A 15 FA C8 02 C1 BC 52 65 2B D8 EC C8 8E 72 9B 62 79 A8 20 65 1E 06 07 AF 02 70 0C 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 CE 22 45 27 27 B8 EA 12 11 8A 20 EF 09 19 FD 6B B8 B4 A0 D6 03 10 5B DD D6 CF 74 85 60 22 D2 CD 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0A D5 CA 1A 96 05 1C F5 5E 2C 0C CE 2A E" /f"
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  reg delete "8 F3 66 B9 86 13 95 5D 1A 40 0A 7F 52 A9 BA B2 23 04 83 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 38 B0 4E D5 42 5B 15 DF 75 ED 77 00 0E 5B 16 73 C1 5E D2 AF 68 BF 75 AD 38 35 1D 6A 1E 9A 12 F7 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 AF 37 E5 A2 58 AD 48 66 53 E6 1F 53 B9 42 0E EA 34 9C E5 B6 48 3A DB 78 9F 5C A7 33 FE 7E 97 1A 01 08 00 00 00 00 00 0F 03 00 00 00 CC 77 B2 6C CA 01 58 51 6A 28 60 81 E1 F6 0B 69 78 9C FE 8E 66 F8 8F CE 29 11 79 DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f"
  2⤵
  PID:2800
- C:\Windows\system32\reg.exe
  reg delete " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f"
  2⤵
  PID:1292
- C:\Windows\system32\reg.exe
  reg delete " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f"
  2⤵
  PID:5460
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:5452
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5380
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:5584
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3868
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
  2⤵
  PID:5812
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
  2⤵
  PID:4712
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
  2⤵
  PID:4500
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
  2⤵
  PID:4888
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
  2⤵
  PID:5568
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\\SOFTWARE\\Google\\Update\\UsageStats\\Daily\\Counts\\opt_in_uid_generated=" /f
  2⤵
  PID:5560
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\\SOFTWARE\\EasyAntiCheat\\GamesInstalled=217;" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\\SOFTWARE\\Razer Chroma SDK\\FortniteClient-Win64-Shipping.exe\\Path=D:\\Fortnite\\FortniteGame\\Binaries\\Win64\\FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3584
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\\SOFTWARE\\Razer Chroma SDK\\FortniteClient-Win64-Shipping.exe\\Title=FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4104
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\\SOFTWARE\\Razer Chroma SDK\\FortniteClient-Win64-Shipping.exe\\Author=Chroma developer" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2572
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1804
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe\LastDetectionTime: F9 8F FD B6 8D 13 D5 01" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4940
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5108
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:536
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:5724
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:5732
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:5760
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:5764
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
  2⤵
  PID:4552
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 70 42 0C 00 0E EB 0C 00 01 00 00 00 00 00 00 00 00 00 03 06 00 01 00 00 67 07 7C BA C5 4C D4 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 0C 00 00 00 00 00 00 01 00 00 00 01 00 00 00" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon\: "C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe"" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3516
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command\: "C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe"" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5084
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1644
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe\LastDetectionTime: F9 8F FD B6 8D 13 D5 01" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5892
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1548
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4012
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:5224
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5216
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:6044
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6040
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5616
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6096
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:4912
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:5152
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5208
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:5180
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:6064
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:5228
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:5276
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:1884
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:5280
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:3240
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:3728
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:3104
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_CURRENT_USER\\Software\\Epic Games\" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\Software\\Epic Games\" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\com.epicgames.launcher\" /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\EpicGames\" /f
  2⤵
  PID:5324
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Epic Games\" /f
  2⤵
  PID:6132
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_CLASSES_ROOT\\com.epicgames.launcher\" /f
  2⤵
  PID:5852
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\Software\\Epic Games\" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_CURRENT_USER\\Software\\Classes\\com.epicgames.launcher\" /f
  2⤵
  PID:5700
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_CURRENT_USER\\Software\\Epic Games\\Unreal Engine\\Hardware Survey\" /f
  2⤵
  PID:5784
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_CURRENT_USER\\Software\\Epic Games\\Unreal Engine\\Identifiers\" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\com.epicgames.launcher\" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\EpicGames\" /f
  2⤵
  PID:5468
- C:\Windows\system32\reg.exe
  reg delete \"HKEY_CURRENT_USER\\SOFTWARE\\EpicGames\" /f
  2⤵
  PID:5484
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5428
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5828
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:5388
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5532
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:5368
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:3900
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3235051776-1179596201-1620534504-1001" /v "\Device\HarddiskVolume4\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe" /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe.FriendlyAppName" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1684
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe.ApplicationCompany" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2440
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched" /v "{6D809377-6AF0-444B-8957-A3773F02200E}\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6008
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched" /f
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView" /v "{6D809377-6AF0-444B-8957-A3773F02200E}\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2884
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe.FriendlyAppName" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5072
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe.ApplicationCompany" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1012
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Khronos\Vulkan\ImplicitLayers" /v "C:\Users\Centu\OneDrive\Desktop\Fortnite\Epic Games\Launcher\Portal\Extras\Overlay\EOSOverlayVkLayer-Win32.json" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Khronos\Vulkan\ImplicitLayers" /v "C:\Users\Centu\OneDrive\Desktop\Fortnite\Epic Games\Launcher\Portal\Extras\Overlay\EOSOverlayVkLayer-Win64.json" /f
  2⤵
  PID:5792
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5556
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe.FriendlyAppName" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5684
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Khronos\Vulkan\ImplicitLayers" /v "C:\Users\Centu\OneDrive\Desktop\Fortnite\Epic Games\Launcher\Portal\Extras\Overlay\EOSOverlayVkLayer-Win32.json" /f
  2⤵
  PID:5580
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Khronos\Vulkan\ImplicitLayers" /v "C:\Users\Centu\OneDrive\Desktop\Fortnite\Epic Games\Launcher\Portal\Extras\Overlay\EOSOverlayVkLayer-Win64.json" /f
  2⤵
  PID:452
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe.ApplicationCompany" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4288
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f
  2⤵
  - Modifies registry class
  PID:456
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Khronos\Vulkan\ImplicitLayers" /v "C:\Users\Centu\OneDrive\Desktop\Fortnite\Epic Games\Launcher\Portal\Extras\Overlay\EOSOverlayVkLayer-Win32.json" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\com.epicgames.launcher" /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-3235051776-1179596201-1620534504-1001\Software\Khronos\Vulkan\ImplicitLayers" /v "C:\Users\Centu\OneDrive\Desktop\Fortnite\Epic Games\Launcher\Portal\Extras\Overlay\EOSOverlayVkLayreg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2576
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5892
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5908
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:5144
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:5616
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:3316
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:5636
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:6112
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:6108
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:6124
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:6100
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:5188
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:5172
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:5192
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:5160
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:6080
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:6056
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:712
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:5212
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:5280
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:3240
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:3728
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:3104
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:5324
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:6132
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:5852
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5700
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:5784
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5468
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:5484
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:5428
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:5828
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:5388
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:5532
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:3400
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:5368
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:3900
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:6008
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:1012
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:5792
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:5556
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:5684
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:3320
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:1224
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:3080
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:5652
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher\Saved\Logs\*.* "
  2⤵
  PID:4176
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher\Saved\webcache\Service Worker\CacheStorage\*.* "
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher\Saved\webcache\GPUCache\*.* "
  2⤵
  PID:536
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\Config\WindowsClient\*.* "
  2⤵
  PID:5768
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir\*.* "
  2⤵
  PID:5728
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\LMS\*.* "
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved\Cloud\*.* "
  2⤵
  PID:5764
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\discord-432980957394370572\DefaultIcon" /ve /f
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\discord-432980957394370572\shell\open\command" /ve /f
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder" /v "24" /f
  2⤵
  PID:4552
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder" /f
  2⤵
  PID:5856
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\DefaultIcon" /ve /f
  2⤵
  PID:3516
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\DefaultIcon" /f
  2⤵
  - Modifies registry class
  PID:3984
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\shell\open\command" /ve /f
  2⤵
  PID:4896
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\discord-432980957394370572\shell\open\command" /f
  2⤵
  - Modifies registry class
  PID:5968
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0" /v "12" /f
  2⤵
  PID:5296
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\12" /v "0" /f
  2⤵
  PID:1548
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\12" /f
  2⤵
  - Modifies registry class
  PID:440
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0" /v "0" /f
  2⤵
  PID:5224
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0\0" /v "1" /f
  2⤵
  PID:5216
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\1\0\0" /f
  2⤵
  - Modifies registry class
  PID:6044
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3" /v "7" /f
  2⤵
  PID:6012
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3" /v "8" /f
  2⤵
  PID:1592
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8" /v "0" /f
  2⤵
  PID:5948
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8\0" /v "0" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\8\0" /f
  2⤵
  - Modifies registry class
  PID:5944
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0" /v "0" /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0" /v "0" /f
  2⤵
  PID:3540
- C:\Windows\system32\reg.exe
  REG ADD "HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0" /f
  2⤵
  - Modifies registry class
  PID:6092
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:6096
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:6120
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
  2⤵
  PID:4912
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
  2⤵
  PID:5152
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  - Enumerates system info in registry
  PID:3024
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  - Enumerates system info in registry
  PID:5168
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  - Enumerates system info in registry
  PID:5184
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:5180
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:6064
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:5228
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:5276
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:1884
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:216
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:3268
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:5736
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:2928
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:5444
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:5424
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:5440
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:5504
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:5520
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:5524
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:4444
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:1400
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:1564
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:5460
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:5452
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:5380
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:5584
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:3868
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:5812
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d Neutron-1963166334489 /f
  2⤵
  - Enumerates system info in registry
  PID:4712
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d Neutron-303182646827845 /f
  2⤵
  - Enumerates system info in registry
  PID:4500
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d Neutron-28229960814953 /f
  2⤵
  - Enumerates system info in registry
  PID:5012
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d Neutron-168931383224901 /f
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d Neutron-47101937219021 /f
  2⤵
  PID:4888
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d Neutron-23998239722742 /f
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d Neutron-9945115766102 /f
  2⤵
  PID:5568
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d Neutron-1279671638532 /f
  2⤵
  PID:5560
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d Neutron-16697919832275 /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d Neutron-195902444311489 /f
  2⤵
  PID:3584
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d Neutron-282411428020988 /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d Neutron-3270583838336 /f
  2⤵
  PID:2792
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d Neutron-50402093717282 /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d Neutron-21247318709808 /f
  2⤵
  PID:3664
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d Neutron-274852978712773 /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d Neutron-33021061420927 /f
  2⤵
  PID:5716
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d Neutron-2789143911869 /f
  2⤵
  PID:3992
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d Neutron-18092742132687 /f
  2⤵
  PID:5548
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d Neutron-7754466122833 /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d Neutron-9783313989856 /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d Neutron-216142851117613 /f
  2⤵
  PID:5704
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d Neutron-21616116978613 /f
  2⤵
  PID:1436
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d Neutron-158912293826500 /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d Neutron-172692688511491 /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d Neutron-249711048912273 /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d Neutron-6899212795170 /f
  2⤵
  PID:5612
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d Neutron-21672176722840 /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d Neutron-698434589030 /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d Neutron-70561871829603 /f
  2⤵
  PID:5628
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d Neutron-141351971711306 /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d Neutron-9853173932879 /f
  2⤵
  PID:5892
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d Neutron-18308185827794 /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d Neutron-24980671614731 /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d Neutron-208522948012529 /f
  2⤵
  PID:5908
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d Neutron-12630234534185 /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d Neutron-3011183967670 /f
  2⤵
  PID:5144
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d Neutron-151941272931593 /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d Neutron-37422460530328 /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d Neutron-2004896017271 /f
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d Neutron-244341857410946 /f
  2⤵
  PID:5616
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d Neutron-28031254546303 /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d Neutron-32703491910103 /f
  2⤵
  PID:3316
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d Neutron-172032284017262 /f
  2⤵
  PID:5636
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d Neutron-2095 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:6112
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Neutron-22322 /f
  2⤵
  - Enumerates system info in registry
  PID:6108
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d Neutron-23558 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:6124
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d Neutron-23268 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:6100
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d Neutron-19814 /f
  2⤵
  - Enumerates system info in registry
  PID:5156
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d Neutron-8957 /f
  2⤵
  - Enumerates system info in registry
  PID:6140
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d Neutron-27539 /f
  2⤵
  - Enumerates system info in registry
  - Modifies registry key
  PID:4692
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d Neutron-944 /f
  2⤵
  - Enumerates system info in registry
  PID:5160
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d Neutron-15339 /f
  2⤵
  - Enumerates system info in registry
  PID:6068
- C:\Windows\system32\reg.exe
  REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d Neutron-20215 /f
  2⤵
  - Enumerates system info in registry
  PID:6060
- C:\Windows\system32\reg.exe
  REG ADD "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power-cleaned.exe.ApplicationCompany" /t REG_SZ /d "Neutron-27210" /f
  2⤵
  - Modifies registry class
  PID:1616
- C:\Windows\system32\reg.exe
  REG ADD "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power.exe.ApplicationCompany" /t REG_SZ /d "Neutron-17375" /f
  2⤵
  - Modifies registry class
  PID:6052
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power-cleaned.exe.ApplicationCompany" /t REG_SZ /d "Neutron-31138" /f
  2⤵
  - Modifies registry class
  PID:5044
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Users\THEGUY3ds\Downloads\Caught.Power.exe.ApplicationCompany" /t REG_SZ /d "Neutron-324" /f
  2⤵
  - Modifies registry class
  PID:5256
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion" /v "RegisteredOrganization" /t REG_SZ /d "Neutron-24140" /f
  2⤵
  PID:368
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters" /v "HostName" /t REG_SZ /d "Neutron-24414" /f
  2⤵
  PID:5284
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters" /v "NV HostName" /t REG_SZ /d "Neutron-30679" /f
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC}" /v "Hostname" /t REG_SZ /d "Neutron-28368" /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB}" /v "Hostname" /t REG_SZ /d "Neutron-20069" /f
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD}" /v "Hostname" /t REG_SZ /d "Neutron-4378" /f
  2⤵
  PID:3388
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "HostName" /t REG_SZ /d "Neutron-22482" /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NV HostName" /t REG_SZ /d "Neutron-32147" /f
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC}" /v "Hostname" /t REG_SZ /d "Neutron-27454" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB}" /v "Hostname" /t REG_SZ /d "Neutron-24421" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD}" /v "Hostname" /t REG_SZ /d "Neutron-32172" /f
  2⤵
  PID:1320
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir\LMS\Manifest.sav" "
  2⤵
  PID:5324
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\BattlEye" "
  2⤵
  PID:2320
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\BattlEye" do rmdir "%p" "
  2⤵
  PID:5736
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\CEF" "
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\CEF" do rmdir "%p" "
  2⤵
  PID:4264
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\Comms" "
  2⤵
  PID:2928
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\Comms" do rmdir "%p" "
  2⤵
  PID:3676
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\ConnectedDevicesPlatform" "
  2⤵
  PID:5796
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\ConnectedDevicesPlatform" do rmdir "%p" "
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\CrashDumps" "
  2⤵
  PID:5468
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\CrashDumps" do rmdir "%p" "
  2⤵
  PID:5512
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\CrashReportClient" "
  2⤵
  PID:5472
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\CrashReportClient" do rmdir "%p" "
  2⤵
  PID:5508
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\D3DSCache" "
  2⤵
  PID:3528
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\D3DSCache" do rmdir "%p" "
  2⤵
  PID:900
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\DBG" "
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\DBG" do rmdir "%p" "
  2⤵
  PID:5480
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\EpicGamesLauncher" "
  2⤵
  PID:5544
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\EpicGamesLauncher" do rmdir "%p" "
  2⤵
  PID:5460
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\FortniteGame" "
  2⤵
  PID:5452
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\FortniteGame" do rmdir "%p" "
  2⤵
  PID:5380
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds" "
  2⤵
  PID:5584
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds" do rmdir "%p" "
  2⤵
  PID:5320
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\VirtualStore" "
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\VirtualStore" do rmdir "%p" "
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\UnrealEngineLauncher" "
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\UnrealEngineLauncher" do rmdir "%p" "
  2⤵
  PID:1448
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\UnrealEngine" "
  2⤵
  PID:2108
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\UnrealEngine" do rmdir "%p" "
  2⤵
  PID:3812
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\Speech Graphics" "
  2⤵
  PID:6004
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\Speech Graphics" do rmdir "%p" "
  2⤵
  PID:5572
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\Publishers" "
  2⤵
  PID:2616
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\Publishers" do rmdir "%p" "
  2⤵
  PID:5568
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\Programs\Common" "
  2⤵
  PID:5556
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\Programs\Common" do rmdir "%p" "
  2⤵
  PID:3584
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Local\PlaceholderTileLogoFolder" "
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Local\PlaceholderTileLogoFolder" do rmdir "%p" "
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /q "C:\Users\%username%\AppData\Roaming\EasyAntiCheat" "
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /q "C:\Users\%username%\AppData\Roaming\EasyAntiCheat" do rmdir "%p" "
  2⤵
  PID:5716
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir /s /q "C:\Users\%username%\AppData\Local\FortniteGame" "
  2⤵
  PID:536
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q C:\Windows\Temp\*.* "
  2⤵
  PID:5768
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q C:\Windows\prefetch\*.* "
  2⤵
  PID:5772
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q C:\MSOCache\{71230000-00E2-0000-1000-00000000}\Setup.dat "
  2⤵
  PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q C:\Recovery\ntuser.sys "
  2⤵
  PID:1464
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\Temp\338e89b.tmp "
  2⤵
  PID:4684
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\roaming\EasyAntiCheat "
  2⤵
  PID:5612
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\FortniteGame\ "
  2⤵
  PID:1492
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\EpicGamesLauncher\ "
  2⤵
  PID:5084
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\UnrealEngine\ "
  2⤵
  PID:5628
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\UnrealEngineLauncher\ "
  2⤵
  PID:5912
- C:\Windows\system32\cmd.exe
  cmd /C "del /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\Microsoft\Feeds\ "
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\Microsoft\Feeds "
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\FortniteGame "
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\EpicGamesLauncher "
  2⤵
  PID:6044
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\UnrealEngine "
  2⤵
  PID:5956
- C:\Windows\system32\cmd.exe
  cmd /C "RD /s /f /a:h /a:a /q %USERPROFILE%\appdata\local\UnrealEngineLauncher "
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /a:h /a:a /s /q "C:\Users\%USERPROFILE%\AppData\Local\FortniteGame\*.*" "
  2⤵
  PID:5944
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir /s /q "C:\Users\%USERPROFILE%\AppData\Local\FortniteGame" "
  2⤵
  PID:3540
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /a:h /a:a /s /q "C:\Users\Public\Libraries\*.*" "
  2⤵
  PID:6092
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /a:h /a:a /s /q "C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Feeds\*.*" "
  2⤵
  PID:6108
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir /s /q "C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Feeds" "
  2⤵
  PID:6124
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /a:h /a:a /s /q "C:\Users\%USERPROFILE%\AppData\Local\FortniteGame\Saved\LMS\Manifest.sav\*.*" "
  2⤵
  PID:5188
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir /s /q "C:\Users\%USERPROFILE%\AppData\Local\FortniteGame\Saved\LMS\Manifest.sav" "
  2⤵
  PID:5164
- C:\Windows\system32\cmd.exe
  cmd /C "del /f /a:h /a:a /s /q "C:\Users\%USERPROFILE%\AppData\Local\Temp\*.*" "
  2⤵
  PID:5168
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir /s /q "C:\Users\%USERPROFILE%\AppData\Local\Temp" "
  2⤵
  PID:5184
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe!App: 6F 70 0D 53 8D 13 D5 01" /f"
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.44.40.1000_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 00 EA 08 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0A 73 20 00 00 67 07 7C BA C5 4C D4 01 00 00 00 00 00 00 00 00" /f"
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 70 42 0C 00 0E EB 0C 00 01 00 00 00 00 00 00 00 00 00 03 06 00 01 00 00 67 07 7C BA C5 4C D4 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 0C 00 00 00 00 00 00 01 00 00 00 01 00 00 00" /f"
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2\LanguageList: 5F 65 6E 2D 55 53 5F 73 74 61 6E 64 61 72 64 5F 31 32 35 5F 55 53 5F 4C 54 52 5F 6C 69 67 68 74 5F 44 65 73 6B 74 6F 70" /f"
  2⤵
  PID:3944
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2\{Microsoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.XboxGamingOverlay/resources/GameBar}: "Game bar"" /f"REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MuiCache\ab\52C64B7E\C:\Program Files\Common Files\System\wab32res.dll,-4602: "Contact file"" /f"
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MuiCache\ab\52C64B7E\C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\1033\\VSLauncherUI.dll,-1002: "Open in
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MuiCache\ab\52C64B7E\windows.storage.dll,-21826: "Captures"" /f"
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon\: "C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe"" /f"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2052
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command\: "C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe"" /f"REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580\Type: 0x00000001" /f"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3152
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
  2⤵
  PID:5324
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
  2⤵
  PID:5788
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
  2⤵
  PID:5808
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
  2⤵
  PID:5780
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
  2⤵
  PID:5504
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
  2⤵
  PID:5388
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
  2⤵
  PID:5368
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
  2⤵
  PID:3208
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
  2⤵
  PID:5996
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
  2⤵
  PID:4712
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
  2⤵
  PID:6008
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
  2⤵
  PID:6004
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
  2⤵
  PID:5572
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
  2⤵
  PID:5580
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
  2⤵
  PID:5724
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
  2⤵
  PID:4552
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
  2⤵
  PID:5856
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
  2⤵
  PID:1900
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
  2⤵
  PID:4896
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
  2⤵
  PID:5968
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
  2⤵
  PID:5296
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
  2⤵
  PID:5220
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
  2⤵
  PID:116
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
  2⤵
  PID:6044
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
  2⤵
  PID:5616
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:5944
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:376
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:6136
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:6100
- C:\Windows\system32\reg.exe
  reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007 /v NetworkAddress /d 002622D90EFC /f
  2⤵
  PID:5156
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:6140
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5180
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5364
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
  2⤵
  - Enumerates system info in registry
  PID:1544
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
  2⤵
  - Enumerates system info in registry
  PID:5972
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  PID:5984
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
  2⤵
  - Enumerates system info in registry
  PID:5924
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:4304
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:5280
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:3240
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:1880
- C:\Windows\system32\reg.exe
  reg delete"HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:3728
- C:\Windows\system32\reg.exe
  reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
  2⤵
  PID:3104
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop23572 /f
  2⤵
  - Modifies registry key
  PID:1604
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop22740 /f
  2⤵
  - Modifies registry key
  PID:2052
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin3996} /f
  2⤵
  PID:3152
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {17761-12844-11304-32006} /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {3621-20237-28985-22272} /f
  2⤵
  - Modifies registry key
  PID:1320
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 4092 /f
  2⤵
  PID:5324
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 30850 /f
  2⤵
  PID:5788
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 19759 /f
  2⤵
  - Modifies registry key
  PID:5808
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2647-12165-16249-4313 /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 23030-17430-32190-20313 /f
  2⤵
  - Modifies registry key
  PID:5464
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 27329-1038-24841-19742 /f
  2⤵
  - Modifies registry key
  PID:4872
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 18112 /f
  2⤵
  - Modifies registry key
  PID:3676
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2919-10043-23315-7040} /f
  2⤵
  PID:3988
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 12427-28645-29206-Admin14262 /f
  2⤵
  - Modifies registry key
  PID:5512
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:5532
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop7017 /f
  2⤵
  - Modifies registry key
  PID:5052
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop18186 /f
  2⤵
  PID:5872
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin8876} /f
  2⤵
  - Modifies registry key
  PID:5540
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {3110-21191-19750-11507} /f
  2⤵
  PID:5380
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {13251-13274-8302-21720} /f
  2⤵
  PID:5928
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 18200 /f
  2⤵
  - Modifies registry key
  PID:5320
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 2068 /f
  2⤵
  - Modifies registry key
  PID:4884
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 27482 /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 18057-32486-11581-15457 /f
  2⤵
  - Modifies registry key
  PID:5024
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 7982-27151-965-2819 /f
  2⤵
  - Modifies registry key
  PID:2108
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 28116-15026-5977-3597 /f
  2⤵
  - Modifies registry key
  PID:6056
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 16553 /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {28312-13748-18201-4719} /f
  2⤵
  - Modifies registry key
  PID:972
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4888
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 22223-26552-26452-Admin11307 /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:4332
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6084
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5564
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5748
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5744
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5612
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5628
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2808
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:440
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 17044-189 /f
  2⤵
  - Modifies registry key
  PID:4272
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 29060-20253 /f
  2⤵
  - Modifies registry key
  PID:2132
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac20855} /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {14377-15689-15093-12473-320} /f
  2⤵
  - Modifies registry key
  PID:6044
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {16290-25668-18425-5438-15540} /f
  2⤵
  - Modifies registry key
  PID:4952
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 28465-6415 /f
  2⤵
  PID:5616
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 25507-18119 /f
  2⤵
  PID:5944
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 17005-22329 /f
  2⤵
  - Modifies registry key
  PID:376
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 23759-11922-18025-31093-19150 /f
  2⤵
  - Modifies registry key
  PID:6136
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 18616-9414-19501-11381-11410 /f
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 7181-17945-18094-20527 /f
  2⤵
  - Modifies registry key
  PID:6100
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 15264 /f
  2⤵
  - Modifies registry key
  PID:5156
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {9314-24592-9625-7152} /f
  2⤵
  - Modifies registry key
  PID:6140
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5180
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5364
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1544
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5972
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5984
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:5924
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:4304
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:5280
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3240
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:1880
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:3728
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:3104
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:5212
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
  2⤵
  PID:4916
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
  2⤵
  PID:212
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
  2⤵
  PID:5372
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
  2⤵
  PID:3872
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f
  2⤵
  PID:5776
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f
  2⤵
  PID:5436
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
  2⤵
  PID:5424
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
  2⤵
  PID:5440
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
  2⤵
  PID:5520
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
  2⤵
  PID:900
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
  2⤵
  PID:5876
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
  2⤵
  PID:5452
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
  2⤵
  PID:4072
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXm8fs0gj5h36ynw4kq0x3gqnz6ecr1kvy\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe: (NULL!)" /f
  2⤵
  PID:5584
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-gamebarservices\AppXm8fs0gj5h36ynw4kq0x3gqnz6ecr1kvy\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe: (NULL!)" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:5996
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:4712
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices\ACID: "App.AppXe655y38cadddpg1xd2b5k915wndhg5gm.mca"" /f
  2⤵
  PID:6008
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe\LastDetectionTime: F9 8F FD B6 8D 13 D5 01" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4728
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\AppPackageType: 0x00000000" /f
  2⤵
  PID:5752
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\PackageSid: "S-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\EnterpriseID: 0x00000000" /f
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\CapSids: 0A 00 00 00 01 02 00 00 00 00 00 0F 03 00 00 00 01 00 00 00 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E8 41 FE 65 15 CB 86 8E 43 2C E1 30 42 2A B3 51 4E 9C 0E 17 B4 1B 89 09 98 DA 44 8D 13 6A 0C B3 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E4 29 72 AE 52 A9 2E 19 C4 FB 6C 51 9E 00 25 50 5B 64 A6 6F A4 D2 D0 57 D2 DB D7 37 F2 B0 85 AC 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0B 44 35 CF 44 6C 30 B5 4C 90 DA 15 DB 4C 09 94 5A 08 A5 69 F0 DC C5 65 02 4A 7B B9 A8 2C DA C2 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 3C DA 35 57 2A 15 FA C8 02 C1 BC 52 65 2B D8 EC C8 8E 72 9B 62 79 A8 20 65 1E 06 07 AF 02 70 0C 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 CE 22 45 27 27 B8 EA 12 11 8A 20 EF 09 19 FD 6B B8 B4 A0 D6 03 10 5B DD D6 CF 74 85 60 22 D2 CD 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0A D5 CA 1A 96 05 1C F5 5E 2C 0C CE 2A E" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\ApplicationFlags: 0x00000000" /f
  2⤵
  PID:3992
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
  2⤵
  PID:5848
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
  2⤵
  PID:6096
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
  2⤵
  PID:5196
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
  2⤵
  PID:5684
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
  2⤵
  PID:5552
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
  2⤵
  PID:5728
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
  2⤵
  PID:536
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
  2⤵
  PID:5692
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
  2⤵
  PID:5856
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
  2⤵
  PID:1900
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
  2⤵
  PID:4896
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
  2⤵
  PID:5968
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
  2⤵
  PID:5296
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
  2⤵
  PID:5220
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
  2⤵
  PID:116
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
  2⤵
  PID:5952
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:4012
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:6104
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:6112
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
  2⤵
  PID:6108
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
  2⤵
  PID:6124
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
  2⤵
  PID:5148
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
  2⤵
  PID:5172
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:6068
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
  2⤵
  PID:5604
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
  2⤵
  PID:6052
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
  2⤵
  PID:2300
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
  2⤵
  PID:4412
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
  2⤵
  PID:2052
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
  2⤵
  PID:5324
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
  2⤵
  PID:5808
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
  2⤵
  PID:5432
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml"" /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml"" /f
  2⤵
  PID:5420
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\AppxManifest.xml"" /f
  2⤵
  PID:3988
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml"" /f
  2⤵
  PID:5504
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\LastReturnValue: 0x00000000" /f
  2⤵
  PID:5388
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\NumberOfAttempts: 0x00000001" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml"" /f
  2⤵
  PID:5368
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\AppxManifest.xml"" /f
  2⤵
  PID:3208
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Google\Update\UsageStats\Daily\Counts\cup_ecdsa_http_failure: 01 00 00 00 00 00 00 00" /f
  2⤵
  PID:5928
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\AppPackageType: 0x00000000" /f
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\PackageSid: "S-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\EnterpriseID: 0x00000000" /f
  2⤵
  PID:1448
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5228
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580\GameDVR_GameGUID: "284ea1b3-f5e7-4133-b521-74a8d9ae997e"" /f"
  2⤵
  PID:4008
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580\TitleId: "1820250788"" /f"
  2⤵
  PID:5732
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580\MatchedExeFullPath: 43 3A 5C 50 72 6F 67 72 61 6D 20 46 69 6C 65 73 5C 45 70 69 63 20 47 61 6D 65 73 5C 46 6F 72 74 6E 69 74 65 5C 46 6F 72 74 6E 69 74 65 47 61 6D 65 5C 42 69 6E 61 72 69 65 73 5C 57 69 6E 36 34 5C 46 6F 72 74 6E 69 74 65 43 6C 69 65 6E 74 2D 57 69 6E 36 34 2D 53 68 69 70 70 69 6E 67 2E 65 78 65" /f"
  2⤵
  PID:5652
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580\LastAccessed: 50 3B 6E 52 8D 13 D5 01" /f"
  2⤵
  PID:5704
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8\Children: "03ce6902-ff58-41de-ab92-36fcaf27a580"" /f"
  2⤵
  PID:6064
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2\LanguageList: 5F 65 6E 2D 55 53 5F 73 74 61 6E 64 61 72 64 5F 31 32 35 5F 55 53 5F 4C 54 52 5F 6C 69 67 68 74 5F 44 65 73 6B 74 6F 70" /f"
  2⤵
  PID:5196
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2\{Microsoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.XboxGamingOverlay/resources/GameBar}: "Game bar"" /f"
  2⤵
  PID:5568
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MuiCache\ab\52C64B7E\C:\Program Files\Common Files\System\wab32res.dll,-4602: "Contact file"" /f"
  2⤵
  PID:5792
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MuiCache\ab\52C64B7E\windows.storage.dll,-21826: "Captures"" /f"
  2⤵
  PID:5552
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\GameDVR\Debug\ErrorHistoryEntry_2" /f
  2⤵
  PID:5612
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\GameDVR\Debug\ErrorHistoryEntry_2" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\GameDVR\Debug\ErrorHistoryIndex" /f
  2⤵
  PID:5892
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\GameDVR\Debug\ErrorHistoryIndex" /f
  2⤵
  PID:5628
- C:\Windows\system32\reg.exe
  reg delete "HKU\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp" /f
  2⤵
  PID:5296
- C:\Windows\system32\reg.exe
  reg delete "HKU\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp" /f
  2⤵
  PID:440
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{574B26F9-094B-45B5-895D-C171342ABE5D}\DynamicInfo" /f
  2⤵
  PID:4272
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{574B26F9-094B-45B5-895D-C171342ABE5D}\DynamicInfo" /f
  2⤵
  PID:4016
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475" /f
  2⤵
  PID:5956
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\IdentityCRL\ClockData\ClockTimeSeconds" /f
  2⤵
  PID:6044
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\IdentityCRL\ClockData\ClockTimeSeconds" /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\IdentityCRL\ClockData\TickCount" /f
  2⤵
  PID:3540
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\IdentityCRL\ClockData\TickCount" /f
  2⤵
  PID:6088
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render" /f
  2⤵
  PID:6120
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render" /f
  2⤵
  PID:6116
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider\StartTime" /f
  2⤵
  PID:5152
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider\StartTime" /f
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75" /f
  2⤵
  PID:2228
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75" /f
  2⤵
  PID:5192
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\0D83063EA3BF1C75" /f
  2⤵
  PID:5200
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\0D83063EA3BF1C75" /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475" /f
  2⤵
  PID:1884
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI\LastNotificationAddedTime" /f
  2⤵
  PID:5976
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI\LastNotificationAddedTime" /f
  2⤵
  PID:5980
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\LastLocalChangeTime" /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\LastLocalChangeTime" /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\windows\NotificationSettings\LastBackupSettingChangeTime" /f
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\windows\NotificationSettings\LastBackupSettingChangeTime" /f
  2⤵
  PID:2036
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\windows\NotificationSettings\BackupConsistencyTimestamp" /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\windows\NotificationSettings\BackupConsistencyTimestamp" /f
  2⤵
  PID:3944
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PUUActive" /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PUUActive" /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PCT" /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PCT" /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PTT" /f
  2⤵
  PID:5300
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PTT" /f
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PCT" /f
  2⤵
  PID:4472
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PCT" /f
  2⤵
  PID:5376
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PTT" /f
  2⤵
  PID:5852
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-3562401221-3456852255-1175621782-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\HAM\AUI\ppleae38af2e007f4358a809ac99a64a67c1\V1\LU\PTT" /f
  2⤵
  PID:5736
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Microsoft\Direct3D\LastTelemetryChangeStamp" /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-18\Software\Microsoft\Direct3D\LastTelemetryChangeStamp" /f
  2⤵
  PID:4264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\clean1.bat" "
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1664
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
  2⤵
  PID:5848
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Electronic Arts" /f
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
  2⤵
  PID:5396
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
  2⤵
  PID:5072
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\origin" /f
  2⤵
  PID:884
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\origin2" /f
  2⤵
  PID:5812
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\Applications\Origin.exe" /f
  2⤵
  PID:6012
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
  2⤵
  PID:6096
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
  2⤵
  PID:5572
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
  2⤵
  PID:5580
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
  2⤵
  PID:3608
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\Applications\Origin.exe" /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
  2⤵
  PID:3516
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
  2⤵
  PID:5564
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
  2⤵
  PID:1436
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
  2⤵
  PID:5292
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
  2⤵
  PID:5772
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
  2⤵
  PID:5224
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
  2⤵
  PID:5216
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
  2⤵
  PID:5888
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
  2⤵
  PID:116
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
  2⤵
  PID:5952
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
  2⤵
  PID:5940
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
  2⤵
  PID:4012
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
  2⤵
  PID:6104
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
  2⤵
  PID:6112
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
  2⤵
  PID:6108
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
  2⤵
  PID:6124
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
  2⤵
  PID:5148
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
  2⤵
  PID:5172
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
  2⤵
  PID:5176
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
  2⤵
  PID:6068
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
  2⤵
  PID:5256
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
  2⤵
  PID:5604
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:6052
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b5da6f171b2fe8560e954eb873e65e2d

SHA1
5dd9600d0d284be29ab36b00d373ea38a4e2cb74

SHA256
e1c9092cdcd66aa799df79589f0503818b5f92171d8305458f447ec1593fe79a

SHA512
f16e601a146d157a3f9ae67bbc61190306f72cea2ad239b560cb4f552eb1514bc9ef63c7c65d020957948709b93d127c6a615d1fa995fa5128a704b86543c2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
9dc479fd661486caf38cfe970da1dd0c

SHA1
9816cbff5bae124952e5f64a025916abd5c67d7e

SHA256
9d3a72c4743b3fbd2c77e1fb5a35671248de793d4a2c18aec8765630fa88b8ca

SHA512
6c2936b3aff330c63719b797cc2429b2fcd91d8647c4db32a04122fc64e55baedf823444896d7bb648a699de36d910f227ed68490498c713a7857ae366b5857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
014101cf3d1bcebe941f04ab115db1c5

SHA1
71abea7eabad23db94a08893d9fc66105da23376

SHA256
56350e845705b4368b5217209e72043209ec09e1d55f5eaea91b46fa97f75c20

SHA512
6234da6ea63dadacc5bed1aca23af31047d234c9b07ec68c01e3f5c9cd580fafecffce2101333a0fd15c287dd9fe55e88719f21955ae04bb92f403ce661024e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7c21058a2d0411662073177f451db24

SHA1
9382882a6e3d642f0edc36585297d69a1f652c67

SHA256
0ebfd242646c41616a3ba4d2ac66ad8b823fa4683ae67939788493be7ef476f0

SHA512
e8f4511041bf04181ec267ae0c2e1c88db17e5e31bc1ba8d8bac2d97fa34cfea496f8a02ba48e811f534a23627a3bea0d12b17f5450f821b425abbda7a35b50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8af92fbf9fd819565574ce16e93e51f1

SHA1
86fb9126dc7f709f2f277d67d112a614166bd267

SHA256
d235a1ed8dd29497b533cd091fff96dce83819756fee0b37ff3828484e40d1b9

SHA512
98f24ba00a07ca37dacb50e5050c7af37481a88dc275b0644aaebc697d761892d7189952f81f88d27dbc52b95111f742f668d9e0e4879433b859374c8d431844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
08776790cc3db57a31a0a1847ff8f9da

SHA1
a3e94acfd94135b45072db62f0dae11dab25b888

SHA256
5fe0e1ed785d30704100f9a6d3494aa4ff8dcc51d24f2acc3cdf1c96ff6d185d

SHA512
14b09cdd997c8673a07c30a1ca26226c6c8734bc9ad752a8e051d3497a18c53c11c37c8b2f081075f8d26ff2a6940e150088f7fb7df40f9086d18b1d7aef4fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3efc97bf628f025c77fd81468df7c089

SHA1
c600e24d9886484334a38b4f24defadb24dc6e73

SHA256
d44759479623d0d58964856f67aa0315f796388258a5f9b15463e94b2ad94427

SHA512
3c6331a417a87a56097fd82c8bbeb0820aafb972e02dbf20eeb3c836c2f289024d2bd369548a9f4654bf2fb50f0c2caa0358cb7137a65ea4e66beafb49fb02f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Filesize
91B

MD5
99bde3452748e34d6c50275110a6a8d4

SHA1
e79cb2a8db7d8490523529d3861f95ba73a20c23

SHA256
d07311acf641866e7e84823d2962f593bb655792301dc61ad6f0c6869d9c5937

SHA512
19fd529c6fe60bbbe3710fed93f14d723a13ad427431f855ed84f5e5e496b9f3eb8a6e8c31d740239eb225753d52a4f464b489fdbdeff4477480026263d0f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F56EC9-81D8-4F4B-B640-22E390D7C955\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC68F5~1.TMP

Filesize
196KB

MD5
9a076ddf646ecf22f1522543c8c587e2

SHA1
42d83100f3bc74d2ae4ea6311e8134682511ca1a

SHA256
bbd5855ff9aee73f4982c270dffec98350c703cf657398563bba8315d24bf8e5

SHA512
37f499702406e93db3b600d587fb5902cf7b1a7e90063ab00d8e2dc8fb691c11d52a8512893fad38622245d8c80d2cdf6ceeaa238ae990517ecf3e23bf45c810

Download Submit
C:\Users\Admin\AppData\Local\Temp\F86479~1.TMP

Filesize
224KB

MD5
09bd0f4196902acac51ec4fab447da46

SHA1
5d15beebfb17323b8d973546cf9c4cbb4f0cb0c9

SHA256
a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e

SHA512
aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SES~1

Filesize
53B

MD5
7af240bf25cdc0eb7ef23fd63654d1f4

SHA1
3dde63ce281523755652b0934f1f3e31a58e8f12

SHA256
3fd315a4781142fcdcc11cdd30f38d7049b66a7540bdb08a95bcc4ada5bd184f

SHA512
ef53ff515082df5f24620ccfe3a0b22ad560beff0f05803b155bec8fd5a85530a22c9452c2e6eb62561535280796ed7b770dac68cb1b3e62095615b843b0d342

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29E6.tmp

Filesize
2KB

MD5
6e45692f9d7be1c0acc856b8384f068e

SHA1
3ff60531acf23135a2cd7ffa2aee9d3f970c5a37

SHA256
2e52aa1937d7162fea862d4824035afce11f55461cbbdcaada779269046d6bb4

SHA512
1ba357572ba9c43671a1e4cc87232d00f094d5ff0dfdc0e8f0e60cb516cc05b3272f1b121cc4d77ccbc03ce224731cc9a5a97c15e40ad7c4e398118df53d19c7

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\3.bat

Filesize
543KB

MD5
9d39831f2328903820a7359ac3e479a8

SHA1
2f2e720ed9b1462e5cdc8bc1d3a7e11fad6a887c

SHA256
4769a969888d95e0594ac296c3b7cf593dbb26bd7d27a47dc2c59022c0675263

SHA512
dad147bf672e4d0e69524e8103f715d133e21790ed7e3c065a02722e36c05e3e3dd9bac633da1b3eaa509a41caac46841261258478b9ad9c0aea7aea42d4204d

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\FNCLEAN.bat

Filesize
3.2MB

MD5
0bef79984a785d284e225d3576239802

SHA1
0a759883c5cd8822f269eca241c4dc8c43d86220

SHA256
33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80

SHA512
d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\FortniteCleaner.bat

Filesize
1.5MB

MD5
2429db21a224c48fa6b17e55a6762328

SHA1
f86eb0c2de25e8970add83b66253d3f18b0994e1

SHA256
365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778

SHA512
0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\Lurk_deep_cleaner.bat

Filesize
3.2MB

MD5
802163e30d9d50549b85433eac1876cf

SHA1
37076267767c8f9f6fa801fbd406d915015162f9

SHA256
564997d28a20b76f75ec28867ede54b18d542cf25be16999e3db8c6ebb980cdf

SHA512
26a53f0e5dc62f2f4f877b6cd6ef91537004c4d66183eb16d50c5ff429d0efd66dbc3d83571637d6e53f0b70dbb8c57adf188861350446b450b9c8a2a2972d7f

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\Prevent BSOD.bat

Filesize
163B

MD5
c43670686ae2fcdda31d7807b7ff7e99

SHA1
d48fe34d0ff92074dc336627cc292fc59b4fd6b8

SHA256
c1ca8b82ed15516b33e786f3595c02b89271a04ece8f45e58f3997d12218a4f7

SHA512
6a4552fcf175dfa6b27a683ffe7a498334be8f9ec4c2565f47a15951b890c468d8f12a5c27e7a1906c072d963e1554e9d151802cbd27bea1d36926950289ae17

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\Registry.bat

Filesize
159KB

MD5
82c83643e937e4802178b2762976275d

SHA1
260befe1c1cb651f60cd5bf067f0d285922ce916

SHA256
867ebe3a036cdc5c70c2ee267ca4a9124bc717dfb3e73c132dc60a4693a13d24

SHA512
954e168c4c144d3660a179f1deabb0df521c48a4f635159d65f086b09140f801bbbb912134fab019d9283f575a36f97d3c74067897826a270cceb3f0ff928de9

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\Reset_ip.bat

Filesize
436B

MD5
8175e46feb5b12012c3780de248d2e72

SHA1
c79e4373554a9c397c611b6bad04b5743ca53a3d

SHA256
a11555e1ab7e92eee837f6778cdd41928a13efdc21f8b788abcacbe7bc511255

SHA512
9dea656e6f36bad77dc1db32d73fb58559447fcc5a67290a2809930540086ee042693e643dea1be4cff4ec6345e0209d99ae840aaa1468a5b2d7fb1a3bb8fff5

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\clean1.bat

Filesize
579KB

MD5
5512c5dce702c3564581f40032ef877c

SHA1
3c3b98500b82df4ebfb80bfd20c7399ef029f2d5

SHA256
9fa1a9cb82e9731cba045d93ce8720a78eac7e48e0c88c1a76f46e3536a2341e

SHA512
9541dec6b3fe149c24065d481e21f3943d94646b6b7ccff31643a70a1e2c6f89272a5047e63d49dfac9e07aba9dd5b4215544a6a04b1fbfdd197db7017f6cbe8

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\clean3.bat

Filesize
22KB

MD5
fbd3ebe26a823f86ae2deed72df613b9

SHA1
ac360161007807aff1577ca90edc57b21c3d14c3

SHA256
8e43a6e232e9842777d3fce8c552bf942359757e6af092595c98ae101ee0e94d

SHA512
2def0b5306711a7806cdfe58196877cda39f3b0bcc5786776d9164f28310dfd85cbf922dc1619f2bba3dfa5c84a5701d1b948042e0af28b6af5c4c893ce045f5

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\clean4.bat

Filesize
853KB

MD5
d4c34b33b42ce1a0aa1227fa3a768124

SHA1
796606e45d27fd332c6143f6f09cef3c8a522493

SHA256
d2f5b505cd5a6baaabb9d1f51f6b5800139034db44e220f83b44cd66b3197b38

SHA512
33ffd3944bfe182cfcd9f40bb73af997db37692f6a769953e931af24acbebaa2a698254860fc2095cd507d84a2437907016cc8d1bd3614cf6899f6428ef86ff1

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\clean5.bat

Filesize
275KB

MD5
2b043c717d3e6336adfdd1cb074bbe88

SHA1
c08abb3f64f9e22a73d9e7032a49448a0180d7c2

SHA256
709731808b76e8cb0c479131c862281ca9bc611cf6936b0af195feb2320fd1c2

SHA512
e9967d207fdb6cf8e6d17481f4daa9acf76f9a11bcb71bb7bddaf44a54416eadbedc43c6ba31e93cb9b1512cb316a41ec3062c6d7e2794a01233ee8d3bd739d2

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\mp5_cleaner_pack_5.bat

Filesize
830KB

MD5
5f6747cc88b35044e395fd82b5ec7762

SHA1
c683ddc63bdc6f3426f219b58490d8d2d1f8975e

SHA256
81577fb7ba452a4585ab3009fdee9736ecf4ab7671764174b335c8fbfeb79ebe

SHA512
c5f2e6512b68f7026d8dcc8ba38a8604196647263af383c80bda2432023be551be2e74eb38bcd4519d52e7a778e9d25aed286c0fec9c24c64a86fdd8d036971a

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\mp5_cleaner_pack_6.bat

Filesize
22KB

MD5
691a8da53eac534e67dd0a1afd8d7829

SHA1
fe9754ea0817ab1c3b43c3541ec0b8b5fb551aea

SHA256
6d8474b60f28ee629a8b0eae25cc8c214d2e45c23e64445105389b530b535819

SHA512
667193eee3fceb28c9fdce6017938d87d0666948cee6abe46f36e92055781e30d8e39d3835fcf7d8350f560873065c958e7e0c58aee242f770beade3be27d6f6

Download Submit
C:\Users\Admin\Desktop\cleaners (creds Zeen not vsn)\regedit_change.bat

Filesize
361KB

MD5
76612436f2530bdedea29c7b93dac4aa

SHA1
ef4459e02db59572c48c3534dff5138dd2b80c89

SHA256
d73f8099a9125b4cf8932de41114ce9a308c5426f95818b385e3160fb442b558

SHA512
b80c3b2819dc633bb6829cf190f3f6852298a11b36ebaed7170252385096e72e241719a18b46ac4c1c822e961d8ac3e0d195bbba9bcbff754f4314df2b9ab988

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 197403.crdownload

Filesize
1.6MB

MD5
0622b68e51d8694348e2970140a854b6

SHA1
7bc0673b3f5cae57019a4e835951688c11dc2d13

SHA256
2cfc6d3c627984afda1b0df8bd70d26116e769fa60fb951db5fd65a96bad6a50

SHA512
282cdb66363f16d727c89b9a2ab6771a723eebe8e5560abbfa28af8bd61e3a113bade5f4825648d5f04ca6a7af3b3f326fe8abcc465196c09f86a3cdadaee5c3

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
6KB

MD5
0e09660eb1fcd941abd16604a3cf3119

SHA1
ce3df1c2795bda38f7af7b5d1bdaa1d9a16515b8

SHA256
e46295ee3a9987d97a4a53e93830aba531d78a56f5d95b0731cc3badb94fefc2

SHA512
6dfe43415f0cb5fb76ce9ec5ab3ace25b74f9190fe737fc2ac83e5060b155587e455dc90d987d21fb8e9a8e4942536e276c85873d577180417aa1593ad135da8

Download Submit
C:\Windows\System32\PerfStringBackup.TMP

Filesize
4.9MB

MD5
c6833baf16a419db699d7280422b4eb2

SHA1
3724439586127bb9afb3b58bf8aad59dc29eaad7

SHA256
ae368029682abde480d020c006c745f7ec1a7298162a5fd71745f9c8fa5dca00

SHA512
78ae921bb799a6902efec9d8d6dda2834d16d7bb81aabba2a4d964b84560557c7a1441ecf9d3cc3ce606d364654bf36f7ed6cf7595709a49ef0c09d5d91257b7

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
142KB

MD5
1bd26a75846ce780d72b93caffac89f6

SHA1
ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

SHA256
55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

SHA512
4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
147KB

MD5
6d4b430c2abf0ec4ca1909e6e2f097db

SHA1
97c330923a6380fe8ea8e440ce2c568594d3fff7

SHA256
44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

SHA512
cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
6adbb878124fcd6561655718f12bff5f

SHA1
1711619dda04178fb47eea6658da6ad52f6cf660

SHA256
0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

SHA512
88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
c0a264734479700068f6e00ef4fd4aa7

SHA1
4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd

SHA256
71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735

SHA512
85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
125KB

MD5
eef14d868d4e0c2354c345abc4902445

SHA1
173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

SHA256
9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

SHA512
c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
710KB

MD5
82d7f8765db25b313ecf436572dbe840

SHA1
da9ed48d5386a1133f878b3e00988cbf4cdebab8

SHA256
3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

SHA512
59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
681KB

MD5
c926492a458cb3697819f575eb6cff81

SHA1
4a2b1e1b662c442a8c2ab557605d86bd833ea32d

SHA256
402169dfe8c1d904e60b29b8525942c09d3be6bc9ec0d7e49c91b4ba2ac32632

SHA512
c09841c9c44f2b92bab4c12661073ede0ed71dd9dccd613946cb2bc317f8c3cc89a5f1397476f8f81a5fe60d38eb67851b60ed0d03288e4e239a7ebfb0a19085

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
754KB

MD5
4e62108a0d4a00aa39624f4f941d2595

SHA1
7fbff1d3ac293c715a303ac37da0ceb12591028b

SHA256
3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263

SHA512
c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
758KB

MD5
b87c7ea0e738fc61eb32a94fbd6c6775

SHA1
0e730aa70900f623205b93cb1d6e11be4c0d51b5

SHA256
6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0

SHA512
4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
747KB

MD5
77a299c7d27f4e4372cd6c1de0781586

SHA1
bb6bf16619da6d0acc30797cd10978bde64892fd

SHA256
6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf

SHA512
21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
462KB

MD5
a8bc9760fe491ad0305212839f5caaaf

SHA1
e5aa69598284bc55ef94adcf3745053650179f42

SHA256
6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b

SHA512
4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit