2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c

Analysis

max time kernel
21s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaner hackvshack.net.exe
Size

6.1MB
MD5

4a1635b43bc46617b5a2e4916bfd2fa9
SHA1

3bb3b336391251d446775889b5da375336f6305b
SHA256

2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c
SHA512

f76ef411628ffdc37d769b0383317911c002dc5eac57e32e4cd5f6db8da7df5c38aa0c0a4d14d1af383bb58f2f264cf9b55a9e4002c784209ebabb5c6cd37ce2
SSDEEP

98304:ozmsCg59qryH9HVM+hPapWp4XNLHMLRXJGDxP0QlGNdtF8pJ:oSseyd1M+h8WpWLsLBJGvYdQ

Score

7^/10

spyware stealer vmprotect

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

behavioral1/memory/3536-3-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp vmprotect
behavioral1/memory/3536-6-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp vmprotect
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cleaner hackvshack.net.exe

pid process

3536 cleaner hackvshack.net.exe

resource	yara_rule
behavioral1/memory/3536-3-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp	vmprotect
behavioral1/memory/3536-6-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp	vmprotect

pid	process
3536	cleaner hackvshack.net.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7DC5~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_usbfn.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA04F5~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC96D~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\MSIXPA~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\.NETFramework\corperfmonsymbols.ini	cmd.exe
File opened for modification	C:\Windows\INF\rspndr.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0C0A\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NETFramework\corperfmonsymbols.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmbug3.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0407\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\scunknown.inf	cmd.exe
File opened for modification	C:\Windows\INF\sti.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D49~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF97F~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netrass.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGatherer\0409\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NETFramework\0411\corperfmonsymbols_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\TermService\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA65FE~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\net7800-x64-n650f.inf	cmd.exe
File opened for modification	C:\Windows\INF\netnb.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2B9F~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAD0D7~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA55DC~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0407\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\WINDOW~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_linedisplay.inf	cmd.exe
File opened for modification	C:\Windows\INF\hdaudbus.inf	cmd.exe
File opened for modification	C:\Windows\INF\netl260a.inf	cmd.exe
File opened for modification	C:\Windows\INF\vsmraid.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmcomp.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdgitn.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmlucnt.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA4D0B~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\040C\PerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7D65~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSvcHost 4.0.0.0\_SMSvcHostPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\TermService\040C\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA90D5~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmairte.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmarn.inf	cmd.exe
File opened for modification	C:\Windows\INF\ehstorpwddrv.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidcfu.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmaus.inf	cmd.exe
File opened for modification	C:\Windows\INF\vca.inf	cmd.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_CNL.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidvhf.inf	cmd.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_a2dp_snk.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmkortx.inf	cmd.exe
File opened for modification	C:\Windows\INF\secrecs.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0407\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\ONECOR~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\storufs.inf	cmd.exe
File opened for modification	C:\Windows\INF\hpsamd.inf	cmd.exe
File opened for modification	C:\Windows\INF\netloop.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0411\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidscanner.inf	cmd.exe
File opened for modification	C:\Windows\INF\wstorvsc.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\HELLOF~1.MUM	cmd.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-1577313326715"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-15773-13326-71520500"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-15773-13326-71520500"	reg.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5052	taskkill.exe
316	taskkill.exe
1544	taskkill.exe
4212	taskkill.exe
1080	taskkill.exe
3004	taskkill.exe
2992	taskkill.exe
4752	taskkill.exe
4972	taskkill.exe
4324	taskkill.exe
1348	taskkill.exe
4228	taskkill.exe
740	taskkill.exe
1848	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 015780205536763090238732186824851399612739	reg.exe

Modifies registry class 5 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\ClsidStore = 157762407518579117951355817941321401692328996297552590525385	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Installer\Dependencies\MSICache = 0157802055367630902387321868248513996127392360725757	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3960	reg.exe
4392	reg.exe
3740	reg.exe
4336	reg.exe
2764	reg.exe
2472	reg.exe
2328	reg.exe
4040	reg.exe
2296	reg.exe
4920	reg.exe
3300	reg.exe
3248	reg.exe
1096	reg.exe
5024	reg.exe
4512	reg.exe
1868	reg.exe
1560	reg.exe
2992	reg.exe
1868	reg.exe
3828	reg.exe
4676	reg.exe
4632	reg.exe
3568	reg.exe
3828	reg.exe
4392	reg.exe
5040	reg.exe
3592	reg.exe
4704	reg.exe
644	reg.exe
5068	reg.exe
4120	reg.exe
4116	reg.exe
3592	reg.exe
3540	reg.exe
3036	reg.exe
4636	reg.exe
220	reg.exe
4120	reg.exe
1196	reg.exe
2812	reg.exe
3408	reg.exe
4932	reg.exe
2004	reg.exe
4060	reg.exe
4476	reg.exe
4696	reg.exe
988	reg.exe
3560	reg.exe
4880	reg.exe
4964	reg.exe
3552	reg.exe
1940	reg.exe
3260	reg.exe
2904	reg.exe
924	reg.exe
3944	reg.exe
2296	reg.exe
1012	reg.exe
1080	reg.exe
4352	reg.exe
5096	reg.exe
5100	reg.exe
1884	reg.exe
4440	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cleaner hackvshack.net.exe

pid process

3536 cleaner hackvshack.net.exe
3536 cleaner hackvshack.net.exe

pid	process
3536	cleaner hackvshack.net.exe
3536	cleaner hackvshack.net.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cleaner hackvshack.net.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3536 wrote to memory of 4540	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4540	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 2984	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 2984	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4388	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4388	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1600	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1600	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1012	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1012	3536	cleaner hackvshack.net.exe	cmd.exe
PID 1012 wrote to memory of 1544	1012	cmd.exe	taskkill.exe
PID 1012 wrote to memory of 1544	1012	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 4784	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4784	3536	cleaner hackvshack.net.exe	cmd.exe
PID 4784 wrote to memory of 2992	4784	cmd.exe	taskkill.exe
PID 4784 wrote to memory of 2992	4784	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 4936	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4936	3536	cleaner hackvshack.net.exe	cmd.exe
PID 4936 wrote to memory of 4752	4936	cmd.exe	taskkill.exe
PID 4936 wrote to memory of 4752	4936	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 2212	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 2212	3536	cleaner hackvshack.net.exe	cmd.exe
PID 2212 wrote to memory of 4972	2212	cmd.exe	taskkill.exe
PID 2212 wrote to memory of 4972	2212	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 2900	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 2900	3536	cleaner hackvshack.net.exe	cmd.exe
PID 2900 wrote to memory of 4212	2900	cmd.exe	taskkill.exe
PID 2900 wrote to memory of 4212	2900	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 4656	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4656	3536	cleaner hackvshack.net.exe	cmd.exe
PID 4656 wrote to memory of 1348	4656	cmd.exe	taskkill.exe
PID 4656 wrote to memory of 1348	4656	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 1216	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1216	3536	cleaner hackvshack.net.exe	cmd.exe
PID 1216 wrote to memory of 1080	1216	cmd.exe	taskkill.exe
PID 1216 wrote to memory of 1080	1216	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 332	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 332	3536	cleaner hackvshack.net.exe	cmd.exe
PID 332 wrote to memory of 4228	332	cmd.exe	taskkill.exe
PID 332 wrote to memory of 4228	332	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 1560	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1560	3536	cleaner hackvshack.net.exe	cmd.exe
PID 1560 wrote to memory of 5052	1560	cmd.exe	taskkill.exe
PID 1560 wrote to memory of 5052	1560	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 3088	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 3088	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3088 wrote to memory of 740	3088	cmd.exe	taskkill.exe
PID 3088 wrote to memory of 740	3088	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 5104	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 5104	3536	cleaner hackvshack.net.exe	cmd.exe
PID 5104 wrote to memory of 1848	5104	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 1848	5104	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 1392	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1392	3536	cleaner hackvshack.net.exe	cmd.exe
PID 1392 wrote to memory of 3004	1392	cmd.exe	taskkill.exe
PID 1392 wrote to memory of 3004	1392	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 4616	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 4616	3536	cleaner hackvshack.net.exe	cmd.exe
PID 4616 wrote to memory of 316	4616	cmd.exe	taskkill.exe
PID 4616 wrote to memory of 316	4616	cmd.exe	taskkill.exe
PID 3536 wrote to memory of 1940	3536	cleaner hackvshack.net.exe	cmd.exe
PID 3536 wrote to memory of 1940	3536	cleaner hackvshack.net.exe	cmd.exe
PID 1940 wrote to memory of 4324	1940	cmd.exe	taskkill.exe
PID 1940 wrote to memory of 4324	1940	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe
"C:\Users\Admin\AppData\Local\Temp\cleaner hackvshack.net.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0b
2⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:684

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:3616

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:2736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:2780

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-15773 /f
3⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:3332

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-15773 /f
3⤵
- Modifies registry key
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
2⤵
PID:1976

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-15773-%random} /f
3⤵
- Modifies registry key
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:3856

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-1577313326715 /f
3⤵
- Modifies registry key
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
2⤵
PID:4660

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-15773 /f
3⤵
- Modifies registry key
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
2⤵
PID:1480

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-15773 /f
3⤵
- Modifies registry key
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:2932

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-1577313326715 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-15773-13326-71520500} /f
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1028

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-15773-13326-71520500} /f
3⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1384

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-15773-13326-71520500} /f
3⤵
- Modifies registry key
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4000

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3196

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
- Modifies registry key
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4388

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1656

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3736

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
- Modifies registry key
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4856

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
- Enumerates system info in registry
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1864

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-15773-13326-71520500 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:4012

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-15773-13326-71520500} /f
3⤵
- Modifies registry key
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:4744

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-15773-13326-71520500} /f
3⤵
- Modifies registry key
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
2⤵
PID:1788

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 15773 /f
3⤵
- Modifies registry key
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
2⤵
PID:1672

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple15773-13326-715-205003244} /f
3⤵
- Modifies registry key
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:4536

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple15773-13326-715-205003244} /f
3⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
2⤵
PID:1184

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 15773 /f
3⤵
- Modifies registry key
PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
2⤵
PID:2120

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 15773 /f
3⤵
- Modifies registry key
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
2⤵
PID:2412

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 15773 /f
3⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:4268

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 15773-13326-715-20500 /f
3⤵
- Modifies registry key
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random%-%random%%random%%random% /f
2⤵
PID:1784

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 1577624075-18579-11795-13558-179413214016923 /f
3⤵
- Modifies registry key
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:2712

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple15776-24075-18579-11795 /f
3⤵
- Modifies registry key
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
2⤵
PID:4324

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple15776 /f
3⤵
- Modifies registry key
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
2⤵
PID:1252

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 15776 /f
3⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:4008

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 15776 /f
3⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
2⤵
PID:1492

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple15776-24075-18579-11795} /f
3⤵
- Modifies registry key
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:1988

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
- Modifies registry key
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic Games /f
3⤵
- Modifies registry key
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
2⤵
PID:4208

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
3⤵
- Modifies registry key
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
2⤵
PID:2384

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
3⤵
- Modifies registry key
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
2⤵
PID:3556

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 15776-24075-18579-1179513558 /f
3⤵
- Modifies registry key
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:2316

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:4152

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
- Modifies registry key
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:4840

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:3220

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:4480

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:1860

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:3912

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:880

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
2⤵
PID:2420

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
- Modifies registry key
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4784

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4288

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:2656

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
- Modifies registry key
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4024

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4196

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3744

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:5016

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:764

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:3088

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:3880

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:3004

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
2⤵
PID:3712

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
- Modifies registry key
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2320

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 157762407518579117951355817941321401692328996297552590525385 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3996

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:684

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%%random%-%random%-%random%%random%-%random%%random%%random% /f
2⤵
PID:1188

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 1577624075-18579-1179513558-179413214016923 /f
3⤵
- Modifies registry key
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:2736

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
- Modifies registry key
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1972

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
- Modifies registry key
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:5112

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-15776-24075-1857911795 /f
3⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4412

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f
3⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:3212

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 157802055367630902387321868248513996127392360725757 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2488

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1578020553676309023873218682485139961273923607 /f
3⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4048

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:3680

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 15780205536763090238732186824851399612739 /f
3⤵
- Modifies Internet Explorer settings
- Modifies registry key
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1488

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 15780205536763090238732186824851399612739 /f
3⤵
- Modifies registry key
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2680

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 15780205536763090238732186824851399612739 /f
3⤵
- Modifies registry key
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1384

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 1578020553676 /f
3⤵
- Modifies registry key
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:2392

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 1578020553676 /f
3⤵
- Modifies registry key
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:2984

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 1578020553676 /f
3⤵
- Modifies registry key
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:5028

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 1578020553676 /f
3⤵
- Modifies registry key
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4232

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 15780205536763090238732186824851399612739236072575725430 /f
3⤵
- Modifies registry key
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f
2⤵
PID:2292

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.15780.2055-3676_309023873 /f
3⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
2⤵
PID:4936

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {15780-2055-3676-3090} /f
3⤵
- Modifies registry key
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
2⤵
PID:4216

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
3⤵
- Modifies registry key
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Blizzard Entertainment\Battle.net /f
2⤵
PID:1952

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Blizzard Entertainment\Battle.net /f
3⤵
- Modifies registry key
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\Software\WOW6432Node\Blizzard Entertainment /f
2⤵
PID:848

C:\Windows\system32\reg.exe
reg delete HKLM\Software\WOW6432Node\Blizzard Entertainment /f
3⤵
- Modifies registry key
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\FortniteGame
2⤵
PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\EpicGames
2⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%localappdata%\EpicGamesLauncher
2⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin
2⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin
2⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin
2⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
2⤵
- Drops file in Windows directory
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
2⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
2⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
2⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
2⤵
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
2⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
2⤵
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
2⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
2⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
2⤵
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
2⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
2⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
2⤵
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
2⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
2⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
2⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
2⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
2⤵
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
2⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
2⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
2⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
2⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
2⤵
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
2⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
2⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
2⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
2⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
2⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
2⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
2⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
2⤵
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
2⤵
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3536-0-0x00007FF6670D2000-0x00007FF667457000-memory.dmp

Filesize
3.5MB

Download
memory/3536-3-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp

Filesize
10.9MB

Download
memory/3536-2-0x00007FFB5AEC0000-0x00007FFB5AEC2000-memory.dmp

Filesize
8KB

Download
memory/3536-1-0x00007FFB5AEB0000-0x00007FFB5AEB2000-memory.dmp

Filesize
8KB

Download
memory/3536-6-0x00007FF666FA0000-0x00007FF667A7E000-memory.dmp

Filesize
10.9MB

Download