Analysis
-
max time kernel
81s -
max time network
149s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27/01/2025, 20:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/Eus8As
Resource
win10ltsc2021-20250113-en
General
-
Target
https://gofile.io/d/Eus8As
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4608 netsh.exe 5276 netsh.exe -
Stops running service(s) 4 TTPs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\054e67a2-64f2-4496-9245-70e88960c189.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250127205331.pma setup.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\INF\UsbccidDriver.inf cmd.exe File opened for modification C:\Windows\INF\c_volsnap.inf cmd.exe File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_GLK.inf cmd.exe File opened for modification C:\Windows\INF\MSDTC\0410\msdtcprf.ini cmd.exe File opened for modification C:\Windows\INF\netwew00.inf cmd.exe File opened for modification C:\Windows\INF\netwtw08.inf cmd.exe File opened for modification C:\Windows\INF\acxhdaudiop.inf cmd.exe File opened for modification C:\Windows\INF\BthLCPen.inf cmd.exe File opened for modification C:\Windows\INF\netrtwlane_13.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAD1FC~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAA203~1.MUM cmd.exe File opened for modification C:\Windows\INF\c_extension.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA0148~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\MI84DA~1.MUM cmd.exe File opened for modification C:\Windows\INF\.NET CLR Networking\0411\_Networkingperfcounters_v2_d.ini cmd.exe File opened for modification C:\Windows\INF\.NET Data Provider for SqlServer\0000\_dataperfcounters_shared12_neutral_d.ini cmd.exe File opened for modification C:\Windows\INF\MSDTC\0409\msdtcprf.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA3C85~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7245~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA434A~1.MUM cmd.exe File opened for modification C:\Windows\INF\netbc64.inf cmd.exe File opened for modification C:\Windows\INF\wceisvista.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA99F0~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7573~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2880~1.MUM cmd.exe File opened for modification C:\Windows\INF\netr28x.inf cmd.exe File opened for modification C:\Windows\INF\rdyboost\0C0A\ReadyBoostPerfCounters.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LADBD9~1.MUM cmd.exe File opened for modification C:\Windows\INF\.NET Data Provider for SqlServer\040C\_dataperfcounters_shared12_neutral_d.ini cmd.exe File opened for modification C:\Windows\INF\.NETFramework\040C\corperfmonsymbols_d.ini cmd.exe File opened for modification C:\Windows\INF\c_usbdevice.inf cmd.exe File opened for modification C:\Windows\INF\iastorav.inf cmd.exe File opened for modification C:\Windows\INF\mdmeric2.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAAFFC~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA267A~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LABD4B~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA3127~1.MUM cmd.exe File opened for modification C:\Windows\INF\intelpep.inf cmd.exe File opened for modification C:\Windows\INF\mdmdsi.inf cmd.exe File opened for modification C:\Windows\INF\mdmnis5t.inf cmd.exe File opened for modification C:\Windows\INF\microsoft_bluetooth_avrcptransport.inf cmd.exe File opened for modification C:\Windows\INF\wvmbus.inf cmd.exe File opened for modification C:\Windows\INF\mdmminij.inf cmd.exe File opened for modification C:\Windows\INF\netnwifi.inf cmd.exe File opened for modification C:\Windows\INF\wvmic_heartbeat.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA0001~1.MUM cmd.exe File opened for modification C:\Windows\INF\c_processor.inf cmd.exe File opened for modification C:\Windows\INF\WINDOW~1.0\0407\PerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\wsearchidxpi\0410\idxcntrs.ini cmd.exe File opened for modification C:\Windows\INF\.NET CLR Networking 4.0.0.0\0C0A\_Networkingperfcounters_d.ini cmd.exe File opened for modification C:\Windows\INF\c_bluetooth.inf cmd.exe File opened for modification C:\Windows\INF\net8192su64.inf cmd.exe File opened for modification C:\Windows\INF\netg664.inf cmd.exe File opened for modification C:\Windows\INF\vsmraid.inf cmd.exe File opened for modification C:\Windows\INF\sbp2.inf cmd.exe File opened for modification C:\Windows\INF\TAPISRV\0422\tapiperf.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA35A0~1.MUM cmd.exe File opened for modification C:\Windows\INF\bcmfn2.inf cmd.exe File opened for modification C:\Windows\INF\iagpio.inf cmd.exe File opened for modification C:\Windows\INF\iaLPSS2i_I2C_BXT_P.inf cmd.exe File opened for modification C:\Windows\INF\lsi_sas.inf cmd.exe File opened for modification C:\Windows\INF\mdmnis3t.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATSE~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\HELLOF~2.MUM cmd.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4416 sc.exe 4244 sc.exe 1124 sc.exe 2512 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2056 reg.exe 916 reg.exe 5384 reg.exe 4852 reg.exe 4224 reg.exe 1124 reg.exe 6080 reg.exe 5280 reg.exe 2512 sc.exe 5320 reg.exe 5072 reg.exe 4244 sc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 reg.exe -
Enumerates system info in registry 2 TTPs 23 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 64 IoCs
pid Process 4244 taskkill.exe 5208 taskkill.exe 1124 taskkill.exe 4172 taskkill.exe 5600 taskkill.exe 704 taskkill.exe 400 taskkill.exe 5280 taskkill.exe 5556 taskkill.exe 3364 taskkill.exe 5524 taskkill.exe 5368 taskkill.exe 480 taskkill.exe 1864 taskkill.exe 5600 taskkill.exe 6132 taskkill.exe 2948 taskkill.exe 5880 taskkill.exe 2948 taskkill.exe 5524 taskkill.exe 652 taskkill.exe 3196 taskkill.exe 5528 taskkill.exe 4244 taskkill.exe 5172 taskkill.exe 5552 taskkill.exe 5572 taskkill.exe 5380 taskkill.exe 1436 taskkill.exe 6048 taskkill.exe 5548 taskkill.exe 1440 taskkill.exe 5828 taskkill.exe 3336 taskkill.exe 3228 taskkill.exe 5452 taskkill.exe 2644 taskkill.exe 3232 taskkill.exe 5576 taskkill.exe 2948 taskkill.exe 5868 taskkill.exe 2352 taskkill.exe 3868 taskkill.exe 5412 taskkill.exe 4608 taskkill.exe 5816 taskkill.exe 5504 taskkill.exe 2724 taskkill.exe 2116 taskkill.exe 1596 taskkill.exe 2820 taskkill.exe 2404 taskkill.exe 5140 taskkill.exe 5144 taskkill.exe 5484 taskkill.exe 3156 taskkill.exe 5824 taskkill.exe 5932 taskkill.exe 6008 taskkill.exe 5668 taskkill.exe 6020 taskkill.exe 3836 taskkill.exe 4416 taskkill.exe 6116 taskkill.exe -
Modifies registry class 24 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 reg.exe Key created \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings msedge.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1572 reg.exe 5172 reg.exe 3880 reg.exe 1236 reg.exe 1444 reg.exe 5256 reg.exe 5600 reg.exe 5072 reg.exe 5124 reg.exe 6036 reg.exe 4224 reg.exe 2516 reg.exe 5412 reg.exe 5328 reg.exe 1544 reg.exe 5196 reg.exe 4532 reg.exe 4360 reg.exe 2768 reg.exe 3204 reg.exe 6076 reg.exe 5944 reg.exe 5920 reg.exe 3128 reg.exe 5556 reg.exe 1824 reg.exe 4172 reg.exe 5344 reg.exe 4372 reg.exe 1360 reg.exe 3968 reg.exe 5468 reg.exe 480 reg.exe 3368 reg.exe 5500 reg.exe 5332 reg.exe 4624 reg.exe 2404 reg.exe 2696 reg.exe 2116 reg.exe 2380 reg.exe 3364 reg.exe 2404 reg.exe 3836 reg.exe 3628 reg.exe 5896 reg.exe 4852 reg.exe 5896 reg.exe 5396 reg.exe 1892 reg.exe 4796 reg.exe 5592 reg.exe 3000 reg.exe 1196 reg.exe 1648 reg.exe 1248 reg.exe 5504 reg.exe 5588 reg.exe 548 reg.exe 5816 reg.exe 2644 reg.exe 5512 reg.exe 5896 reg.exe 5476 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4880 msedge.exe 4880 msedge.exe 3684 msedge.exe 3684 msedge.exe 4560 identity_helper.exe 4560 identity_helper.exe 5372 msedge.exe 5372 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3868 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 5172 taskkill.exe Token: SeDebugPrivilege 4416 taskkill.exe Token: SeDebugPrivilege 3232 taskkill.exe Token: SeDebugPrivilege 2404 taskkill.exe Token: SeDebugPrivilege 5412 taskkill.exe Token: SeDebugPrivilege 5524 taskkill.exe Token: SeDebugPrivilege 5552 taskkill.exe Token: SeDebugPrivilege 5576 taskkill.exe Token: SeDebugPrivilege 5600 taskkill.exe Token: SeDebugPrivilege 6116 taskkill.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 5992 taskkill.exe Token: SeDebugPrivilege 3868 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 3196 taskkill.exe Token: SeDebugPrivilege 5140 taskkill.exe Token: SeDebugPrivilege 5344 taskkill.exe Token: SeDebugPrivilege 5504 taskkill.exe Token: SeDebugPrivilege 5548 taskkill.exe Token: SeDebugPrivilege 1440 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 480 taskkill.exe Token: SeDebugPrivilege 3156 taskkill.exe Token: SeDebugPrivilege 3336 taskkill.exe Token: SeDebugPrivilege 6132 taskkill.exe Token: SeDebugPrivilege 5528 taskkill.exe Token: SeDebugPrivilege 1440 taskkill.exe Token: SeDebugPrivilege 2724 taskkill.exe Token: SeDebugPrivilege 5868 taskkill.exe Token: SeDebugPrivilege 5280 taskkill.exe Token: SeDebugPrivilege 5932 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 6008 taskkill.exe Token: SeDebugPrivilege 3364 taskkill.exe Token: SeDebugPrivilege 2352 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 5524 taskkill.exe Token: SeDebugPrivilege 5668 taskkill.exe Token: SeDebugPrivilege 5820 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 5600 taskkill.exe Token: SeDebugPrivilege 704 taskkill.exe Token: SeDebugPrivilege 5824 taskkill.exe Token: SeDebugPrivilege 6020 taskkill.exe Token: SeDebugPrivilege 4244 taskkill.exe Token: SeDebugPrivilege 3836 taskkill.exe Token: SeDebugPrivilege 5144 taskkill.exe Token: SeDebugPrivilege 6132 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 5572 taskkill.exe Token: SeDebugPrivilege 5556 taskkill.exe Token: SeDebugPrivilege 5380 taskkill.exe Token: SeDebugPrivilege 5452 taskkill.exe Token: SeDebugPrivilege 5208 taskkill.exe Token: SeDebugPrivilege 1436 taskkill.exe Token: SeDebugPrivilege 400 taskkill.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 6048 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 4244 taskkill.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3684 wrote to memory of 3068 3684 msedge.exe 81 PID 3684 wrote to memory of 3068 3684 msedge.exe 81 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4696 3684 msedge.exe 82 PID 3684 wrote to memory of 4880 3684 msedge.exe 83 PID 3684 wrote to memory of 4880 3684 msedge.exe 83 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 PID 3684 wrote to memory of 4864 3684 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Eus8As1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8706c46f8,0x7ff8706c4708,0x7ff8706c47182⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4396 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff775dc5460,0x7ff775dc5470,0x7ff775dc54803⤵PID:1936
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:12⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:12⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6520 /prefetch:82⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10402303466532703231,11963398859552430881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5232 /prefetch:22⤵PID:5208
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5872
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN).bat"1⤵PID:3984
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5172
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5412
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5524
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5552
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5576
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f2⤵PID:5440
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Epic Games" /f2⤵PID:5376
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:5428
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f2⤵PID:1472
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f2⤵PID:4324
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f2⤵PID:5816
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f2⤵PID:5836
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f2⤵PID:5868
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f2⤵PID:5884
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f2⤵PID:5520
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:5284
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f2⤵PID:5292
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f2⤵PID:5304
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f2⤵PID:5276
-
-
C:\Windows\system32\reg.exereg delete "HKCR\com.epicgames.eos" /f2⤵PID:5912
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f2⤵PID:5960
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\EpicGames" /f2⤵PID:564
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f2⤵PID:4604
-
-
C:\Windows\system32\netsh.exenetsh advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)2.bat"1⤵PID:6072
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:5928
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6116
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5992
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5344
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5548
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f2⤵PID:5564
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Epic Games" /f2⤵PID:5576
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:5604
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f2⤵PID:5452
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f2⤵PID:5668
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f2⤵PID:704
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f2⤵PID:3248
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f2⤵PID:5688
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f2⤵PID:5828
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:5876
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f2⤵PID:5368
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f2⤵PID:5904
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f2⤵PID:5280
-
-
C:\Windows\system32\reg.exereg delete "HKCR\com.epicgames.eos" /f2⤵PID:5312
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f2⤵PID:5292
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f2⤵PID:5304
-
-
C:\Windows\system32\netsh.exenetsh advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5276
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)3.bat"1⤵PID:552
-
C:\Windows\system32\taskkill.exetaskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6132
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:5796
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:6140
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:2352
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f2⤵PID:5992
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f2⤵PID:5188
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:3000
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:3880
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:5136
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f2⤵PID:5124
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:4852
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:5332
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 32000-5970 /f2⤵
- Modifies registry key
PID:5896
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 30826-17903 /f2⤵
- Modifies registry key
PID:2404
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac18469} /f2⤵
- Modifies registry key
PID:5344
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2462-5012-22139-18331-29232} /f2⤵
- Modifies registry key
PID:5412
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {13895-9586-20685-8855-13916} /f2⤵
- Modifies registry key
PID:5504
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 4497-26261 /f2⤵
- Modifies registry key
PID:5556
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 29973-7331 /f2⤵
- Modifies registry key
PID:5592
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 31165-16465 /f2⤵
- Modifies registry key
PID:5588
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 1885-1167-28137-18234-4763 /f2⤵
- Modifies registry key
PID:5476
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 9263-26426-32241-1205-4192 /f2⤵PID:5424
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 19305-1627-16080-4418 /f2⤵
- Modifies registry key
PID:5600
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 16234 /f2⤵
- Modifies registry key
PID:5468
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {14767-7447-6888-3403} /f2⤵
- Modifies registry key
PID:4372
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f2⤵PID:5372
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:1472
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:5820
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f2⤵PID:5848
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:5880
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:3180
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:5368
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:5904
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f2⤵PID:5280
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:5320
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:5492
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f2⤵PID:1436
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f2⤵PID:5272
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f2⤵PID:5276
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f2⤵PID:5956
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f2⤵PID:5952
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f2⤵PID:6048
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f2⤵PID:6064
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ---- /f2⤵PID:6024
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ---- /f2⤵PID:6056
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f2⤵PID:6040
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f2⤵PID:1052
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW2⤵PID:3800
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f2⤵PID:1876
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 1741 /f2⤵PID:2684
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 11191 /f2⤵PID:2924
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d ---- /f2⤵
- Modifies registry key
PID:5328
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 15956-8542-2770-11566-9890 /f2⤵
- Modifies registry key
PID:2116
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 25242-6121-21958-30339-27199 /f2⤵
- Modifies registry key
PID:2380
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 7780-24668 /f2⤵
- Modifies registry key
PID:480
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 6637 /f2⤵
- Modifies registry key
PID:3204
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 24249-11275-24678-24593 /f2⤵
- Modifies registry key
PID:3364
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS30151 /f2⤵
- Modifies registry key
PID:6076
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 30131-30005 /f2⤵
- Modifies registry key
PID:5944
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS29070 /f2⤵
- Modifies registry key
PID:548
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 25052-7955 /f2⤵
- Modifies registry key
PID:5072
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 17015 /f2⤵PID:3580
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 30436-11974 /f2⤵PID:652
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 13524 /f2⤵
- Modifies registry key
PID:1360
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 20991-811 /f2⤵
- Modifies registry key
PID:2696
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {20877-3303-17097-5893-28574} /f2⤵
- Modifies registry key
PID:1572
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {283-26936-20433-8488-14319} /f2⤵
- Modifies registry key
PID:5172
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {17571-s5921-12999-28580-28176} /f2⤵
- Modifies registry key
PID:3000
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac26222} /f2⤵
- Modifies registry key
PID:3880
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {fefefee10848-32663-25663-29451} /f2⤵PID:5136
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 4940 /f2⤵
- Modifies registry key
PID:5124
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 974 /f2⤵
- Modifies registry key
PID:4852
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 22763 /f2⤵
- Modifies registry key
PID:5332
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 22104 /f2⤵
- Modifies registry key
PID:5896
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {21944-26321-25420-1592-7499} /f2⤵
- Modifies registry key
PID:2404
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f2⤵PID:5344
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f2⤵PID:5412
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f2⤵PID:5504
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f2⤵PID:5556
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f2⤵PID:5592
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:5588
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f2⤵PID:5476
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:5424
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:5600
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f2⤵PID:5468
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:4372
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f2⤵
- Checks processor information in registry
PID:5372
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:1472
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f2⤵PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f2⤵PID:5820
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f2⤵PID:5876
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f2⤵PID:5260
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f2⤵PID:5264
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f2⤵PID:5284
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f2⤵PID:5300
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f2⤵PID:5316
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f2⤵PID:5908
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f2⤵PID:5912
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f2⤵PID:5968
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f2⤵PID:5964
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f2⤵PID:5932
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6080
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f2⤵PID:1612
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f2⤵PID:6064
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f2⤵PID:2608
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f2⤵PID:1864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f2⤵PID:1824
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f2⤵PID:3832
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f2⤵PID:1876
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f2⤵PID:2684
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f2⤵PID:2924
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f2⤵PID:5328
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f2⤵PID:2116
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f2⤵PID:2380
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f2⤵PID:480
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f2⤵PID:3156
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f2⤵PID:6108
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f2⤵PID:3176
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f2⤵PID:6128
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f2⤵PID:6132
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f2⤵PID:3680
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f2⤵PID:3964
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f2⤵PID:5156
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f2⤵PID:5992
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f2⤵PID:1564
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f2⤵PID:5196
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f2⤵PID:2820
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f2⤵PID:5128
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f2⤵PID:3196
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f2⤵PID:2528
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f2⤵PID:5132
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f2⤵PID:5500
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f2⤵PID:5528
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f2⤵PID:5536
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f2⤵PID:5508
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f2⤵PID:5572
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f2⤵PID:5432
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f2⤵PID:5420
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f2⤵PID:5560
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f2⤵PID:5584
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f2⤵PID:5380
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f2⤵PID:5596
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f2⤵PID:5484
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f2⤵PID:5376
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f2⤵PID:1852
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f2⤵PID:4952
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f2⤵PID:5824
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f2⤵PID:5816
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f2⤵PID:5836
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f2⤵PID:2704
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f2⤵PID:5880
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f2⤵PID:3180
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f2⤵PID:5368
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f2⤵PID:5904
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f2⤵PID:5280
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f2⤵PID:5300
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f2⤵PID:5316
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f2⤵PID:5908
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f2⤵PID:5912
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f2⤵PID:5968
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f2⤵PID:3048
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f2⤵PID:5940
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f2⤵PID:4604
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f2⤵PID:6036
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f2⤵PID:6024
-
-
C:\Windows\system32\reg.exereg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f2⤵PID:6020
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f2⤵PID:3732
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f2⤵PID:1968
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f2⤵PID:3368
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f2⤵PID:4496
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f2⤵PID:3240
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f2⤵PID:404
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f2⤵PID:736
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f2⤵PID:1120
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f2⤵PID:916
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f2⤵PID:3204
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f2⤵PID:3364
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f2⤵PID:3336
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f2⤵PID:4420
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f2⤵PID:6124
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f2⤵PID:6136
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f2⤵PID:3580
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f2⤵PID:3128
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f2⤵PID:1572
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f2⤵PID:5196
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f2⤵PID:2820
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f2⤵PID:5340
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f2⤵PID:3196
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f2⤵PID:1596
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f2⤵PID:5332
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f2⤵PID:3912
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f2⤵PID:5344
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f2⤵PID:5572
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f2⤵PID:5532
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f2⤵PID:5552
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f2⤵PID:5564
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572" /f2⤵PID:5576
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon" /f2⤵PID:5596
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell" /f2⤵PID:5484
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open" /f2⤵PID:5428
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command" /f2⤵PID:3248
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f2⤵PID:5684
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f2⤵PID:5812
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f2⤵PID:5884
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f2⤵PID:3180
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f2⤵PID:5368
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f2⤵PID:5296
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f2⤵PID:5300
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f2⤵PID:5860
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f2⤵PID:5936
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f2⤵PID:4024
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f2⤵PID:5964
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f2⤵PID:5940
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f2⤵PID:6048
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f2⤵PID:6024
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f2⤵PID:2608
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f2⤵PID:5440
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f2⤵PID:3832
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f2⤵PID:2512
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXm8fs0gj5h36ynw4kq0x3gqnz6ecr1kvy\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe: (NULL!)" /f2⤵PID:3240
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-gamebarservices\AppXm8fs0gj5h36ynw4kq0x3gqnz6ecr1kvy\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe: (NULL!)" /f2⤵PID:2116
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f2⤵PID:2380
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f2⤵PID:6052
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f2⤵PID:6104
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices\ACID: "App.AppXe655y38cadddpg1xd2b5k915wndhg5gm.mca"" /f2⤵PID:3176
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe\LastDetectionTime: F9 8F FD B6 8D 13 D5 01" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5072
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\AppPackageType: 0x00000000" /f2⤵PID:3076
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\PackageSid: "S-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f2⤵PID:5992
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\EnterpriseID: 0x00000000" /f2⤵PID:1572
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\CapSids: 0A 00 00 00 01 02 00 00 00 00 00 0F 03 00 00 00 01 00 00 00 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E8 41 FE 65 15 CB 86 8E 43 2C E1 30 42 2A B3 51 4E 9C 0E 17 B4 1B 89 09 98 DA 44 8D 13 6A 0C B3 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E4 29 72 AE 52 A9 2E 19 C4 FB 6C 51 9E 00 25 50 5B 64 A6 6F A4 D2 D0 57 D2 DB D7 37 F2 B0 85 AC 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0B 44 35 CF 44 6C 30 B5 4C 90 DA 15 DB 4C 09 94 5A 08 A5 69 F0 DC C5 65 02 4A 7B B9 A8 2C DA C2 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 3C DA 35 57 2A 15 FA C8 02 C1 BC 52 65 2B D8 EC C8 8E 72 9B 62 79 A8 20 65 1E 06 07 AF 02 70 0C 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 CE 22 45 27 27 B8 EA 12 11 8A 20 EF 09 19 FD 6B B8 B4 A0 D6 03 10 5B DD D6 CF 74 85 60 22 D2 CD 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0A D5 CA 1A 96 05 1C F5 5E 2C 0C CE 2A E" /f2⤵PID:4624
-
-
C:\Windows\system32\reg.exereg delete "8 F3 66 B9 86 13 95 5D 1A 40 0A 7F 52 A9 BA B2 23 04 83 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 38 B0 4E D5 42 5B 15 DF 75 ED 77 00 0E 5B 16 73 C1 5E D2 AF 68 BF 75 AD 38 35 1D 6A 1E 9A 12 F7 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 AF 37 E5 A2 58 AD 48 66 53 E6 1F 53 B9 42 0E EA 34 9C E5 B6 48 3A DB 78 9F 5C A7 33 FE 7E 97 1A 01 08 00 00 00 00 00 0F 03 00 00 00 CC 77 B2 6C CA 01 58 51 6A 28 60 81 E1 F6 0B 69 78 9C FE 8E 66 F8 8F CE 29 11 79 DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f2⤵PID:3232
-
-
C:\Windows\system32\reg.exereg delete " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f2⤵PID:5140
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\ApplicationFlags: 0x00000000" /f2⤵PID:4852
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f2⤵PID:5500
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f2⤵PID:5540
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f2⤵PID:5548
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f2⤵PID:5412
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f2⤵PID:5556
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f2⤵PID:5552
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f2⤵PID:5436
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f2⤵PID:5480
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f2⤵PID:5468
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f2⤵PID:1440
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f2⤵PID:3248
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f2⤵PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f2⤵PID:5372
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f2⤵PID:4324
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f2⤵PID:5876
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f2⤵PID:5264
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f2⤵PID:2704
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f2⤵PID:5368
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f2⤵PID:5904
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f2⤵PID:5492
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f2⤵PID:5860
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f2⤵PID:5948
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f2⤵PID:5908
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f2⤵PID:6072
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f2⤵PID:5964
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f2⤵PID:6064
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f2⤵PID:1932
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f2⤵PID:5176
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f2⤵PID:3368
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f2⤵PID:4496
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f2⤵PID:2056
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f2⤵PID:1120
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f2⤵PID:916
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f2⤵PID:2028
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f2⤵PID:2924
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f2⤵PID:5152
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f2⤵PID:6052
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f2⤵PID:6104
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f2⤵PID:5144
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f2⤵PID:5796
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f2⤵PID:6124
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f2⤵PID:6076
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f2⤵PID:3364
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f2⤵PID:5184
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f2⤵PID:3704
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f2⤵PID:4624
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f2⤵PID:3000
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f2⤵PID:3128
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f2⤵PID:5928
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f2⤵PID:5140
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f2⤵PID:5388
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f2⤵PID:4852
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f2⤵PID:5344
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f2⤵PID:5504
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f2⤵PID:5548
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f2⤵PID:1984
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f2⤵PID:5588
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f2⤵PID:5404
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f2⤵PID:5596
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml"" /f2⤵PID:5604
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml"" /f2⤵PID:1440
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\AppxManifest.xml"" /f2⤵PID:1472
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml"" /f2⤵PID:5372
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\LastReturnValue: 0x00000000" /f2⤵PID:4952
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\NumberOfAttempts: 0x00000001" /f2⤵PID:4324
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml"" /f2⤵PID:5876
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\AppxManifest.xml"" /f2⤵PID:5164
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f2⤵PID:5520
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Google\Update\UsageStats\Daily\Counts\cup_ecdsa_http_failure: 01 00 00 00 00 00 00 00" /f2⤵PID:5292
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\AppPackageType: 0x00000000" /f2⤵PID:5812
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\PackageSid: "S-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f2⤵PID:5288
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\EnterpriseID: 0x00000000" /f2⤵PID:5300
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\CapSids: 0A 00 00 00 01 02 00 00 00 00 00 0F 03 00 00 00 01 00 00 00 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E8 41 FE 65 15 CB 86 8E 43 2C E1 30 42 2A B3 51 4E 9C 0E 17 B4 1B 89 09 98 DA 44 8D 13 6A 0C B3 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E4 29 72 AE 52 A9 2E 19 C4 FB 6C 51 9E 00 25 50 5B 64 A6 6F A4 D2 D0 57 D2 DB D7 37 F2 B0 85 AC 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0B 44 35 CF 44 6C 30 B5 4C 90 DA 15 DB 4C 09 94 5A 08 A5 69 F0 DC C5 65 02 4A 7B B9 A8 2C DA C2 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 3C DA 35 57 2A 15 FA C8 02 C1 BC 52 65 2B D8 EC C8 8E 72 9B 62 79 A8 20 65 1E 06 07 AF 02 70 0C 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 CE 22 45 27 27 B8 EA 12 11 8A 20 EF 09 19 FD 6B B8 B4 A0 D6 03 10 5B DD D6 CF 74 85 60 22 D2 CD 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0A D5 CA 1A 96 05 1C F5 5E 2" /f2⤵PID:5276
-
-
C:\Windows\system32\reg.exereg delete "C 0C CE 2A E8 F3 66 B9 86 13 95 5D 1A 40 0A 7F 52 A9 BA B2 23 04 83 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 38 B0 4E D5 42 5B 15 DF 75 ED 77 00 0E 5B 16 73 C1 5E D2 AF 68 BF 75 AD 38 35 1D 6A 1E 9A 12 F7 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 AF 37 E5 A2 58 AD 48 66 53 E6 1F 53 B9 42 0E EA 34 9C E5 B6 48 3A DB 78 9F 5C A7 33 FE 7E 97 1A 01 08 00 00 00 00 00 0F 03 00 00 00 CC 77 B2 6C CA 01 58 51 6A 28 60 81 E1 F6 0B 69 78 9C FE 8E 66 F8 8F CE 29 11 79 DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f2⤵PID:6072
-
-
C:\Windows\system32\reg.exereg delete " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f2⤵PID:4636
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\ApplicationFlags: 0x00000000" /f2⤵PID:6048
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f2⤵PID:2004
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f2⤵PID:3832
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f2⤵PID:2684
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f2⤵PID:2344
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f2⤵PID:1876
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f2⤵PID:4496
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2056
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f2⤵PID:1120
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:916
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f2⤵PID:3984
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f2⤵PID:6112
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f2⤵PID:6108
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f2⤵PID:6104
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f2⤵PID:6132
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f2⤵PID:2628
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f2⤵PID:3336
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f2⤵PID:3364
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f2⤵PID:5184
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f2⤵PID:3704
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f2⤵PID:4624
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f2⤵PID:5156
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f2⤵PID:5256
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f2⤵PID:5512
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5384
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f2⤵PID:5336
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4852
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f2⤵PID:3912
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f2⤵PID:2404
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f2⤵PID:5548
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f2⤵PID:5516
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f2⤵PID:1984
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f2⤵PID:5528
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f2⤵PID:5576
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f2⤵PID:5532
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f2⤵PID:5404
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\: "{2}.\\?\hdaudio#func_012⤵PID:5420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)4.bat"1⤵
- Drops file in Windows directory
PID:6140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3964
-
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:5124
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5528
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5280
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5932
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6008
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5524
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5668
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im PerfWatson2.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5820
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im vgtray.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\system32\sc.exeSc stop EasyAntiCheat2⤵
- Launches sc.exe
PID:4416
-
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_EAC2⤵
- Launches sc.exe
- System Network Configuration Discovery: Internet Connection Discovery
PID:4244
-
-
C:\Windows\system32\sc.exeSc stop BattleEye2⤵
- Launches sc.exe
PID:1124
-
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_BE2⤵
- Launches sc.exe
- System Network Configuration Discovery: Internet Connection Discovery
PID:2512
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:5348
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:5528
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f2⤵PID:5380
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f2⤵PID:5420
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:5448
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f2⤵PID:5584
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-32013 /f2⤵
- Modifies registry key
PID:5816
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-16195 /f2⤵
- Modifies registry key
PID:5396
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:5708
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f2⤵PID:5236
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5280
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"2⤵PID:5272
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5320
-
-
C:\Windows\system32\reg.exereg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:1612
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f2⤵PID:6064
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:1932
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:3800
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5824
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f2⤵PID:5848
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f2⤵PID:5872
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:5268
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f2⤵PID:2704
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f2⤵PID:5904
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f2⤵PID:5284
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f2⤵PID:5980
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f2⤵PID:5968
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f2⤵PID:5860
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f2⤵PID:5948
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f2⤵PID:5956
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f2⤵PID:1436
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"2⤵PID:5936
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"2⤵PID:5964
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"2⤵PID:6024
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6020
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"2⤵PID:5300
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f2⤵PID:5304
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"2⤵PID:5276
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"2⤵PID:5908
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"2⤵PID:5956
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"2⤵PID:5940
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"2⤵PID:5936
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"2⤵PID:6040
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"2⤵PID:6056
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"2⤵PID:1580
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"2⤵PID:744
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f2⤵PID:5676
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3978 /f2⤵
- Modifies registry key
PID:4532
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r15853 /f2⤵
- Modifies registry key
PID:2644
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be26959} /f2⤵
- Modifies registry key
PID:6036
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee18169-17462-10430-18841} /f2⤵
- Modifies registry key
PID:3968
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe4639-13303-9762-10936} /f2⤵
- Modifies registry key
PID:1824
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r9504 /f2⤵
- Modifies registry key
PID:1544
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r4381 /f2⤵
- Modifies registry key
PID:1892
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r8313 /f2⤵
- Modifies registry key
PID:3368
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd2460-5370-14654-26959} /f2⤵
- Modifies registry key
PID:4224
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE29359} /f2⤵
- Modifies registry key
PID:1236
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {31041-28458-23428-11110} /f2⤵
- Modifies registry key
PID:3836
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {16230-28961-26793-6677} /f2⤵
- Modifies registry key
PID:4360
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 17209 /f2⤵
- Modifies registry key
PID:1196
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 16196 /f2⤵
- Modifies registry key
PID:2516
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 5548 /f2⤵
- Modifies registry key
PID:5920
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 24583-20653-9802-10936 /f2⤵
- Modifies registry key
PID:2768
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 22990 /f2⤵
- Modifies registry key
PID:4172
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {29403-25204-6743-31192} /f2⤵
- Modifies registry key
PID:1648
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 13386-28355-25562-12611 /f2⤵
- Modifies registry key
PID:3628
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:2132
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:4388
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f2⤵PID:3220
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:2380
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:5152
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f2⤵PID:3928
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:3884
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:5712
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f2⤵PID:5796
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f2⤵PID:3680
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f2⤵PID:548
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f2⤵PID:5992
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f2⤵PID:3336
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 13422 /f2⤵PID:6076
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 21608 /f2⤵PID:5668
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 29946 /f2⤵
- Modifies registry key
PID:1444
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 23282 /f2⤵
- Modifies registry key
PID:1248
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f2⤵PID:1208
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac13934 /f2⤵
- Modifies registry key
PID:5196
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-3708 /f2⤵
- Modifies registry key
PID:3128
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac20159} /f2⤵
- Modifies registry key
PID:4624
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-23777-3371-22001-29089} /f2⤵
- Modifies registry key
PID:5256
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-29621-2173-27081-21742} /f2⤵
- Modifies registry key
PID:5500
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-23704 /f2⤵
- Modifies registry key
PID:5512
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:4476
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 18367 /f2⤵
- Modifies registry key
PID:4796
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 10117 /f2⤵
- Modifies registry key
PID:5896
-
-
C:\Windows\system32\reg.exereg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f2⤵PID:2860
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:2404
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:2300
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f2⤵PID:5436
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f2⤵PID:5532
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f2⤵PID:5576
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f2⤵PID:1136
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f2⤵PID:5212
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f2⤵PID:5480
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f2⤵PID:5452
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)5.bat"1⤵PID:1472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5396
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)6.bat"1⤵PID:3732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)7.bat"1⤵
- Enumerates connected drives
PID:2924 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5144
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6132
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)7.bat"2⤵PID:5356
-
C:\Windows\system32\findstr.exefindstr /b ::: "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)7.bat"3⤵PID:5384
-
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f2⤵
- Modifies registry class
PID:4812
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f2⤵
- Modifies registry class
PID:5484
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f2⤵
- Modifies registry class
PID:5468
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags" /f2⤵PID:1772
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU" /f2⤵PID:3248
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f2⤵PID:5352
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /f2⤵PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f2⤵PID:3448
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /f2⤵PID:5880
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /f2⤵PID:3180
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /f2⤵PID:4080
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /f2⤵PID:5868
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /f2⤵PID:5308
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f2⤵
- Enumerates system info in registry
PID:5904
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f2⤵
- Enumerates system info in registry
PID:5008
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f2⤵
- Enumerates system info in registry
PID:5492
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f2⤵
- Enumerates system info in registry
PID:3048
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f2⤵
- Enumerates system info in registry
PID:5908
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f2⤵
- Checks processor information in registry
PID:6044
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f2⤵PID:5272
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:5320
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6048
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
PID:1124
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
PID:4172
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f2⤵PID:4080
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:4724
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f2⤵PID:1952
-
-
C:\Windows\system32\reg.exereg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:5784
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f2⤵PID:5752
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:2176
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:2888
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f2⤵PID:5812
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f2⤵PID:3940
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵PID:3692
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f2⤵PID:2464
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f2⤵PID:1360
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f2⤵PID:3868
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f2⤵PID:5300
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f2⤵PID:5304
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f2⤵PID:5280
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f2⤵PID:6072
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f2⤵PID:4636
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f2⤵PID:5964
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f2⤵PID:6024
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f2⤵PID:6056
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f2⤵PID:3552
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f2⤵PID:5672
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f2⤵PID:5616
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"2⤵PID:2644
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"2⤵PID:6036
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"2⤵PID:1052
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"2⤵PID:1824
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f2⤵PID:4204
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4224
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"2⤵PID:3428
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1124
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"2⤵PID:2284
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"2⤵PID:5836
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"2⤵PID:660
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"2⤵PID:1272
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"2⤵PID:3944
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"2⤵PID:5168
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"2⤵PID:2768
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"2⤵PID:4172
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"2⤵PID:1648
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f2⤵PID:4856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)8.bat"1⤵PID:2352
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5572
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5452
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)8.bat"2⤵PID:6076
-
C:\Windows\system32\findstr.exefindstr /b ::: "C:\Users\Admin\Desktop\Cleaners\DX Tourney Cleaner (FN)8.bat"3⤵PID:1572
-
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f2⤵PID:3128
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f2⤵PID:5928
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f2⤵PID:5988
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags" /f2⤵PID:5140
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU" /f2⤵PID:5384
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f2⤵PID:5356
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /f2⤵PID:4820
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f2⤵PID:6088
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /f2⤵PID:2036
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /f2⤵PID:5412
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /f2⤵PID:1596
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /f2⤵PID:1984
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /f2⤵PID:5556
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f2⤵
- Enumerates system info in registry
PID:5464
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f2⤵
- Enumerates system info in registry
PID:5380
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f2⤵
- Enumerates system info in registry
PID:5480
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f2⤵
- Enumerates system info in registry
PID:5420
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f2⤵
- Enumerates system info in registry
PID:552
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f2⤵
- Checks processor information in registry
PID:3432
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f2⤵PID:4728
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:4816
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
PID:3228
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
PID:4608
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
PID:5484
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
PID:5828
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
PID:5816
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵PID:5200
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
PID:5880
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
PID:5368
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5bada31e60d6af0e79f711b7df9e61381
SHA12fd79e0e255bf18fbaa846e9ddaed905a67bb504
SHA25614b57202a8621a680088aaefe0da4fc4cc11bb40b489b793d9dd57942183e019
SHA5120a56aa177b46e7b2ef1720824e442f4f00fa52844251e6ba7b48c546aef2fd996d021ec8fd8ac3b59025077eb40de4e9a62947d2c75efda5cefd49353693c331
-
Filesize
328B
MD589629be6f0b6447488d21009ca7c29c1
SHA1688f4c6887f67c2c3e26a8a78615fa4c2f1a9401
SHA256e67f1b79e35f5440687dc78329187b05a3af073b9f48fa99171d61dc43ebb644
SHA51221c2f2e8dbf9e6f73d0cd80a5fa4423dfcc8fb95ad0671cc8b2035a69ec99814633c69a7632dff3988dca90d5c0f01287866464a5d1ffcfce07e0e67ad7ff8fa
-
Filesize
412B
MD5870b9a459b07041d81df9eadcf5ce0df
SHA1d9958ade23a35818feed0b0d9d7ab75b2fcfea7b
SHA256b4582c38b1ab7244c333bae2929b58010de3d32aff9c8fde1873e64306740683
SHA51200d770d3a9f78be2bf9b6bfc77364cd9ac527e4f33fd6cb9369dd30ac5ca61b679c46cb7e5432b958c72d7118ced7ef297ad8e9941d4bd37ddc7039ccdd65559
-
Filesize
152B
MD5d4bc32eb841f2b788106b7b5a44c13f4
SHA127868013e809484e5ac5cb21ee306b919ee0916e
SHA256051cdf1896c2091e9ff822c2118fda400e2de25ee323e856bf9eb0c64c7a7257
SHA5127a4963ea09832503179642ee750b1c8024373c66b4fce2bd316b782d1fc670c1c77cdb31f9316b34c78b6f3f1c99d90fb50e0500b72f4a647adf7653c44d242b
-
Filesize
152B
MD5c8eb7d84aaea5c0c37cdce43d1ad96dd
SHA10a27d004b734e4c486372c6888111b813e806811
SHA25627ec491fe2b7f0eb567a44deb50c74408376ff3addf6c88a2b1060adc4a5976e
SHA512f39070a20583f7ff33b7b3c0e97c08da2a3ff36049e256bbe0d0031bf15579c6d9c3da8d1f9daac1073519b648a1d005a8fa195ee2232b2962516e9aa14dac3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5885e3c16ec632cdadee87f6aa21e9dcd
SHA12fbadc7d223a528c4b5710bef629e191a9166c34
SHA256b19ba63b8abd672e46735504a6cd093bc916ecb431c2733472acf0082762188a
SHA512c345cc521c6b85422fb0e97673afd8d275b36c22ea2b4b625c99a84c4e2cecd1dfa88e473f411067d8c97508e4c4391cbfa4fee8e85c04bbc4ed0ec0a67df50a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5bb3bb4fc6c05e1884afae98dd4a7f0c3
SHA162fbb7fa4c43542b361ef9fe8414acb7ac592989
SHA256c94c178b578fad682b0d7f7e11d1a0d729d96e016a09a357f809ee0e2af3d315
SHA512d573b0d2dd08c343118f4495a69e9af7559d955bcdec124741121b0e5fce4410218fb9818ea1ff65f5862aa43a351a1646b0227e4cb424530244aad5e5b45bea
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
938B
MD5216bff7b67ae196cd8521f14c3e9d284
SHA1a3fb4648fc2a9f09c11a939395fb81a2815ee10a
SHA2566052645e9515aace04ca4d9b5ed107c288e2ad298b3cdfbfeb529e4bda523624
SHA512ffc91643de538f1b9c5725cb8d60633fb6159f904aae1c71f5be3b43f508569c39e42df41814aad57837401577780c5c7933badb19b8adeab82bbb30ba4f9b5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5898e0.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD5651194b419f221f0b232031be74678ac
SHA1ea22685d23db105979cd22a84aa7a83068ef8e03
SHA2565a7fe7ce14d13fd2c470557074fc91eee51a884bec7d9fffbcebcabcfa48feb0
SHA51236983c55268d38d81d0bcfb25d7f7bc8ab6340d2eea3f62f2ccfd5e25413d4cc6d0ea76c5d29e749f5a4d248662c8f737f7e37b296f88e619fcde8a8ee78f0c5
-
Filesize
5KB
MD5665e4188ac7a8b94843ff754d6cf96b7
SHA1bc33e15f9d74d8956d37934cfaa6c70e2c9dd40a
SHA2567d3a4072de4c63841fa808cae30700b947f44ad3a9467577a52c8dec3bbb32e5
SHA5129cfd65364d1dfd8b8d845c1a1e9981688b5415e0a9bd30cbc0780c369ca7154c10d5f720d7c15b1eb74e12487249cc97969d3d490fa903839f4ea9041302fbb7
-
Filesize
24KB
MD56338e51cf2d1cb4bfea21c7d81cb3dc3
SHA10049d2863f309423d889fed141ef1f146246ac82
SHA2562636a794e74289532973b8f1f9c62a0009520dad49951c956dceba846835e0ac
SHA512ffcbb8f086de4ca9b51f2a86ff75f283afd9a08ba7fdfc16b119f4b80e452579fed0c7d5eb02cda11e6d7c6762ca8d5a1e542e90e106020f530d755933fb3ea2
-
Filesize
24KB
MD5b321aef296129848c0c2c5c77ee69951
SHA1402afa01ec8a6990a78514994f9648aedead5817
SHA256e44d575c1dfcf221b68c84c2cf1d4f1bea45a7e32cd8010228acff6120daff1f
SHA512cbb689d400fceb2f59d67e9e9d28007d2bb7562cf18f806420a9adbb08e0be5825153a44d4199ed03fc8e87311c2f5d4ab9aec5f3667984572070487475e8642
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a5e3a5a0-4c2e-4f48-b94a-5e151326d6ad.tmp
Filesize5KB
MD59b71fa9e89a525a772bd8efa411bf5c2
SHA1be4c4a2f71000ba7f01d1c682019ad3119e3572f
SHA256468fd3f1f4d05af0157976c08e6476c028aa7ea3a9eba4cff0d4dead09d5aa62
SHA5127447c45e288460121aa05881c066237669108e90724e94bcd7b5585fbc4b129a1500a3e0bbb91ee22c92501314cda76bbea79ddf8d5fcaac69dc1c66f64ba78b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD5a5be3de929ed7dfa4762555fe4958418
SHA1e52d0e309263b1e2e71168675af99605789837f7
SHA2563a45954571564f2aea5ae72167d444dab99b45a767ac3170fb6cafdd0aa09785
SHA512da29d47f4f980088a5835042973a0ff9c4e3aa1a73f4bfa7f7e997be62fe2365e286f49c63186a47596e4fe9867f2c0d8d2524ea2c50a9137e831d73b0b647e9
-
Filesize
10KB
MD52c7cce01e267b6648fbbe46c00619392
SHA12a88da0a25bcbf9f37238a4805cbfd9baf5580b9
SHA2563f1c22e2f7b2f770c9a2cc4fed3849e73f71503200c772d7655ba64bc8e7e53c
SHA51214bf5cf7039a5e13832aa45b3d4f6c9de3e1f1b84df9eb874b1c801eda026cea107577db60fba3153955c260a16b242387b0c801fff7d50ba8bde6d59e854bcb
-
Filesize
53B
MD54df4681938043c8132144cbff580f745
SHA1b93eabb655226a653028b09ffdf0ca0b78ab8a24
SHA25608541c29238f45ed00cab3afbeb272985d08a3166e5c0332679be31b75139a51
SHA512120dbcb0063abea5bd022fc28e42e41126cc87a8434afda34aee7b40c81d3cfcf4d865674549607e674ff1dd7ba4357de0131dad74beac0f7638b3817c3e2e53
-
Filesize
224KB
MD509bd0f4196902acac51ec4fab447da46
SHA15d15beebfb17323b8d973546cf9c4cbb4f0cb0c9
SHA256a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e
SHA512aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3
-
Filesize
67KB
MD5d90225fd9b81ab5c78cc122e657238d2
SHA12d631fc94778bf38db6068867db32eaacf2456df
SHA256f88840a3fa6bb3ae1cc45ab67d64beaec1f2dad424f50ecbc5f80137edd35f6b
SHA5123b56a9a920d3f4d153e87445f11f5f18cdd50c8d4376af0769a39d9ee5a9b1a6d06917066ed568073f648f189c4af7b9d5ffe3813a6d27ba900317fcf9bbadc6
-
Filesize
6KB
MD5d132376c80be48f630ffba693d9afd58
SHA145e4042a2d5614d3f35c7a033c2de176d541b367
SHA256c4ee91af04867038ff43f495286a1bb31e5af6675412b99dce27bc263e13ad47
SHA512123cdf49058b5d260356a69d8db71b7c607ab640c8b251e1dd68c21cb081dbf79da0ad90490e9239c98d1afe66ac0930c7ff2efec0f30c0daaab4ab97183a837
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD519c8b8ddf7a6637e96b961e060ef0beb
SHA1bf9f4ea6696bed9132efa7607935b6e2d7f353fd
SHA2568f9db1e68022f7b729f4395583151cc0ba2c8f77552a295d69231df9e8aa59c2
SHA512a3b4c7d7dfd4cdd962ad506baa4d1c301684dff789aa3cd5ec6d8e124b975ac62856eeb50b0a42fae574fed585d63489544fa3824ed10b2666acbe82fde3d944
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD57f1ff32e1de7a5983c6843dd17014860
SHA15274b7e4b7a3cca864ae4c05840781dc83498df7
SHA25660ba9fdefb22c69f1cd6bb8fba21a6a15ae3831e0c32509e925864b0993fbced
SHA512b1e4c0bde72d7e0e9fb924ae0ae014ad57fb5488ed3182dd18a8004c05b125cfc87230097f3e6f0bfe145c2c021d15194497bf788dc72f2546418fa2a2938ee9
-
Filesize
85KB
MD55deab44c6a7bc493f804855fb65b28a3
SHA1031002fe5727e88a1a840340c4bd04bff579388a
SHA2566cb5d7df030a4d71d95af5e983805a3f92e94376a665c742b870faf360e19e19
SHA51285d23d739c2eb75d09ca3e4666c79760442986e59602241da26c17905421811871a7f7aa45ab707ca882cc4ee1c619690bee0722b1098f8ce39be2c1a4ef8b88
-
Filesize
152B
MD5dc955fa44b84be48133883e519d8fe96
SHA13fc23f3f3f639a8c4d757a53ee7ea3e5254f0f6a
SHA256e9af3604eda4908531f7abb7e8c8933cc7a8533af24b5bd27f7d4892fcccadd5
SHA512a3ee8bcb5f74d06cf4d7cb25adbc20f8e025c5b9feb7eb95960c1696548e38d4964e2c89dae95097a006dd1686357f0db3d0ac46a81111610d4e668cce1782ad