Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
166s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
Tournament_Fixer/AdditionalRuntimes/tcs.exe
-
Size
316KB
-
MD5
494b5078c1e82d00954941763862d2cf
-
SHA1
c56d4d59f205da08da87ba273bc72e4210124733
-
SHA256
63f18bdc7385ec394a597ba89090c9a8add17ea14b765aa28341c0cf99a098f3
-
SHA512
98638d8e3d2ec179a3fa8f3ab51ab4f792673e1d85b38786bf95a09144dab60c54c179eeb2306c75cd695e6e42991beb270df1acc733232b9fec2751c5ad909c
-
SSDEEP
6144:fBlkZvaF4NTBOyESMqhETp33NLGstoB4TW9OpIHGynZs6nXi5xAlVm5IosF79Pd:foSWNT0yExqg59LGsSB4TW9O6mynZjiw
Malware Config
Signatures
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4256 sc.exe 2112 sc.exe 800 sc.exe 4776 sc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe -
Kills process with taskkill 13 IoCs
pid Process 4624 taskkill.exe 2016 taskkill.exe 2696 taskkill.exe 3088 taskkill.exe 3176 taskkill.exe 1172 taskkill.exe 3380 taskkill.exe 4756 taskkill.exe 3108 taskkill.exe 1792 taskkill.exe 4532 taskkill.exe 4392 taskkill.exe 648 taskkill.exe -
Modifies registry key 1 TTPs 29 IoCs
pid Process 4240 reg.exe 1100 reg.exe 3128 reg.exe 1556 reg.exe 672 reg.exe 620 reg.exe 2432 reg.exe 1156 reg.exe 2236 reg.exe 2948 reg.exe 4200 reg.exe 2780 reg.exe 2208 reg.exe 3656 reg.exe 2748 reg.exe 4108 reg.exe 4468 reg.exe 4616 reg.exe 4644 reg.exe 1560 reg.exe 4660 reg.exe 1604 reg.exe 1032 reg.exe 3980 reg.exe 4608 reg.exe 4256 reg.exe 772 reg.exe 2744 reg.exe 1860 reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 4624 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 4532 taskkill.exe Token: SeDebugPrivilege 3380 taskkill.exe Token: SeDebugPrivilege 4392 taskkill.exe Token: SeDebugPrivilege 2696 taskkill.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeDebugPrivilege 3088 taskkill.exe Token: SeDebugPrivilege 3176 taskkill.exe Token: SeDebugPrivilege 3108 taskkill.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 648 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1588 2468 tcs.exe 83 PID 2468 wrote to memory of 1588 2468 tcs.exe 83 PID 1588 wrote to memory of 4624 1588 cmd.exe 84 PID 1588 wrote to memory of 4624 1588 cmd.exe 84 PID 1588 wrote to memory of 1172 1588 cmd.exe 87 PID 1588 wrote to memory of 1172 1588 cmd.exe 87 PID 1588 wrote to memory of 2016 1588 cmd.exe 88 PID 1588 wrote to memory of 2016 1588 cmd.exe 88 PID 1588 wrote to memory of 4532 1588 cmd.exe 89 PID 1588 wrote to memory of 4532 1588 cmd.exe 89 PID 1588 wrote to memory of 3380 1588 cmd.exe 91 PID 1588 wrote to memory of 3380 1588 cmd.exe 91 PID 1588 wrote to memory of 4392 1588 cmd.exe 92 PID 1588 wrote to memory of 4392 1588 cmd.exe 92 PID 1588 wrote to memory of 2696 1588 cmd.exe 94 PID 1588 wrote to memory of 2696 1588 cmd.exe 94 PID 1588 wrote to memory of 4756 1588 cmd.exe 95 PID 1588 wrote to memory of 4756 1588 cmd.exe 95 PID 1588 wrote to memory of 3088 1588 cmd.exe 96 PID 1588 wrote to memory of 3088 1588 cmd.exe 96 PID 1588 wrote to memory of 3176 1588 cmd.exe 97 PID 1588 wrote to memory of 3176 1588 cmd.exe 97 PID 1588 wrote to memory of 3108 1588 cmd.exe 98 PID 1588 wrote to memory of 3108 1588 cmd.exe 98 PID 1588 wrote to memory of 1792 1588 cmd.exe 99 PID 1588 wrote to memory of 1792 1588 cmd.exe 99 PID 1588 wrote to memory of 648 1588 cmd.exe 100 PID 1588 wrote to memory of 648 1588 cmd.exe 100 PID 1588 wrote to memory of 4256 1588 cmd.exe 101 PID 1588 wrote to memory of 4256 1588 cmd.exe 101 PID 1588 wrote to memory of 2112 1588 cmd.exe 102 PID 1588 wrote to memory of 2112 1588 cmd.exe 102 PID 1588 wrote to memory of 800 1588 cmd.exe 103 PID 1588 wrote to memory of 800 1588 cmd.exe 103 PID 1588 wrote to memory of 4776 1588 cmd.exe 104 PID 1588 wrote to memory of 4776 1588 cmd.exe 104 PID 1588 wrote to memory of 1628 1588 cmd.exe 105 PID 1588 wrote to memory of 1628 1588 cmd.exe 105 PID 1588 wrote to memory of 4612 1588 cmd.exe 106 PID 1588 wrote to memory of 4612 1588 cmd.exe 106 PID 1588 wrote to memory of 4708 1588 cmd.exe 107 PID 1588 wrote to memory of 4708 1588 cmd.exe 107 PID 1588 wrote to memory of 1052 1588 cmd.exe 108 PID 1588 wrote to memory of 1052 1588 cmd.exe 108 PID 1588 wrote to memory of 1724 1588 cmd.exe 109 PID 1588 wrote to memory of 1724 1588 cmd.exe 109 PID 1588 wrote to memory of 2672 1588 cmd.exe 110 PID 1588 wrote to memory of 2672 1588 cmd.exe 110 PID 1588 wrote to memory of 1344 1588 cmd.exe 111 PID 1588 wrote to memory of 1344 1588 cmd.exe 111 PID 1588 wrote to memory of 1580 1588 cmd.exe 112 PID 1588 wrote to memory of 1580 1588 cmd.exe 112 PID 1588 wrote to memory of 676 1588 cmd.exe 113 PID 1588 wrote to memory of 676 1588 cmd.exe 113 PID 1588 wrote to memory of 4252 1588 cmd.exe 114 PID 1588 wrote to memory of 4252 1588 cmd.exe 114 PID 1588 wrote to memory of 208 1588 cmd.exe 115 PID 1588 wrote to memory of 208 1588 cmd.exe 115 PID 1588 wrote to memory of 1408 1588 cmd.exe 116 PID 1588 wrote to memory of 1408 1588 cmd.exe 116 PID 1588 wrote to memory of 2052 1588 cmd.exe 117 PID 1588 wrote to memory of 2052 1588 cmd.exe 117 PID 1588 wrote to memory of 3540 1588 cmd.exe 118 PID 1588 wrote to memory of 3540 1588 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\system32\sc.exeSc stop EasyAntiCheat3⤵
- Launches sc.exe
PID:4256
-
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_EAC3⤵
- Launches sc.exe
PID:2112
-
-
C:\Windows\system32\sc.exeSc stop BattleEye3⤵
- Launches sc.exe
PID:800
-
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_BE3⤵
- Launches sc.exe
PID:4776
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f3⤵PID:1628
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"3⤵PID:4612
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"3⤵PID:4708
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"3⤵PID:1052
-
-
C:\Windows\system32\reg.exereg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:1724
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f3⤵PID:2672
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵PID:1344
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f3⤵PID:1580
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f3⤵PID:676
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵PID:4252
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵PID:208
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f3⤵PID:1408
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f3⤵PID:2052
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f3⤵PID:3540
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f3⤵PID:724
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f3⤵PID:1192
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f3⤵PID:4188
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f3⤵PID:3416
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f3⤵PID:1624
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f3⤵PID:1512
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f3⤵PID:3892
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"3⤵PID:3664
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"3⤵PID:3196
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"3⤵PID:448
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"3⤵PID:3208
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f3⤵PID:4768
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"3⤵PID:2084
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"3⤵PID:3572
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"3⤵PID:4104
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"3⤵PID:2568
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"3⤵PID:2320
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"3⤵PID:3392
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"3⤵PID:3960
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"3⤵PID:1196
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"3⤵PID:3864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f3⤵PID:3788
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r23571 /f3⤵
- Modifies registry key
PID:4240
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r11624 /f3⤵
- Modifies registry key
PID:2780
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be2185} /f3⤵
- Modifies registry key
PID:2208
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee6518-4274-14890-10415} /f3⤵
- Modifies registry key
PID:1560
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe4869-3649-6662-14780} /f3⤵
- Modifies registry key
PID:4660
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r7987 /f3⤵
- Modifies registry key
PID:1604
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r14323 /f3⤵
- Modifies registry key
PID:3656
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3445 /f3⤵
- Modifies registry key
PID:1556
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd31774-14153-12867-13851} /f3⤵
- Modifies registry key
PID:772
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE7602} /f3⤵
- Modifies registry key
PID:1032
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22847-11408-18915-28806} /f3⤵
- Modifies registry key
PID:3980
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29558-28170-31825-32483} /f3⤵
- Modifies registry key
PID:2744
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 14506 /f3⤵
- Modifies registry key
PID:1156
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 10706 /f3⤵
- Modifies registry key
PID:4468
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 4628 /f3⤵
- Modifies registry key
PID:2748
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 8331-28706-24157-21211 /f3⤵
- Modifies registry key
PID:2432
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30015 /f3⤵
- Modifies registry key
PID:2236
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5673-17434-19818-26756} /f3⤵
- Modifies registry key
PID:672
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24770-3924-8685-8871 /f3⤵
- Modifies registry key
PID:1860
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:4760
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵PID:1876
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f3⤵PID:5032
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f3⤵PID:4652
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f3⤵PID:532
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f3⤵PID:4140
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f3⤵PID:5008
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵PID:4380
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f3⤵PID:928
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵PID:4512
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f3⤵PID:4168
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f3⤵PID:3080
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f3⤵PID:4120
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 31896 /f3⤵PID:3608
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 2393 /f3⤵PID:4116
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 18060 /f3⤵
- Modifies registry key
PID:2948
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 2815 /f3⤵
- Modifies registry key
PID:4616
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f3⤵PID:2844
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac5684 /f3⤵
- Modifies registry key
PID:4608
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-17628 /f3⤵
- Modifies registry key
PID:4108
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac31295} /f3⤵
- Modifies registry key
PID:1100
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-16242-882-29080-23012} /f3⤵
- Modifies registry key
PID:4256
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-9530-8502-4918-19343} /f3⤵
- Modifies registry key
PID:4200
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30441 /f3⤵
- Modifies registry key
PID:3128
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:4656
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 14683 /f3⤵
- Modifies registry key
PID:4644
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 8049 /f3⤵
- Modifies registry key
PID:620
-
-
C:\Windows\system32\reg.exereg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f3⤵PID:64
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f3⤵PID:2564
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f3⤵PID:2324
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f3⤵PID:2460
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f3⤵
- Enumerates system info in registry
PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f3⤵
- Enumerates system info in registry
PID:4516
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f3⤵
- Enumerates system info in registry
PID:3756
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f3⤵
- Enumerates system info in registry
PID:3268
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f3⤵
- Checks processor information in registry
PID:3444
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f3⤵PID:3612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5873801eea220f0bab74d86c1eaa30361
SHA1c5c91e41c37e53b94ba899694e95949f1bca07be
SHA25626a8eede65d9e6a1ab4c450f8dc4be010792c13483380aeb47ef082da8a278b3
SHA51248a3039c93146af7f1102d5290cde08cb09c0a4d74500cf2df0050d6a68e728c3a2e00961221de05f376c044c0e223a10e2d2cf57a915662a929ba7e9345dc48