Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    166s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/tcs.exe

  • Size

    316KB

  • MD5

    494b5078c1e82d00954941763862d2cf

  • SHA1

    c56d4d59f205da08da87ba273bc72e4210124733

  • SHA256

    63f18bdc7385ec394a597ba89090c9a8add17ea14b765aa28341c0cf99a098f3

  • SHA512

    98638d8e3d2ec179a3fa8f3ab51ab4f792673e1d85b38786bf95a09144dab60c54c179eeb2306c75cd695e6e42991beb270df1acc733232b9fec2751c5ad909c

  • SSDEEP

    6144:fBlkZvaF4NTBOyESMqhETp33NLGstoB4TW9OpIHGynZs6nXi5xAlVm5IosF79Pd:foSWNT0yExqg59LGsSB4TW9O6mynZjiw

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 13 IoCs
  • Modifies registry key 1 TTPs 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im epicgameslauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4624
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1172
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2016
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im OneDrive.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im UnrealCEFSubProcess.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4756
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im CEFProcess.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3088
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3176
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEService.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3108
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEServices.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BattleEye.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:648
      • C:\Windows\system32\sc.exe
        Sc stop EasyAntiCheat
        3⤵
        • Launches sc.exe
        PID:4256
      • C:\Windows\system32\sc.exe
        Sc stop FortniteClient-Win64-Shipping_EAC
        3⤵
        • Launches sc.exe
        PID:2112
      • C:\Windows\system32\sc.exe
        Sc stop BattleEye
        3⤵
        • Launches sc.exe
        PID:800
      • C:\Windows\system32\sc.exe
        Sc stop FortniteClient-Win64-Shipping_BE
        3⤵
        • Launches sc.exe
        PID:4776
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
        3⤵
          PID:1628
        • C:\Windows\system32\reg.exe
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
          3⤵
            PID:4612
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
            3⤵
              PID:4708
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
              3⤵
                PID:1052
              • C:\Windows\system32\reg.exe
                reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                3⤵
                  PID:1724
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
                  3⤵
                    PID:2672
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
                    3⤵
                      PID:1344
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                      3⤵
                        PID:1580
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
                        3⤵
                          PID:676
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
                          3⤵
                            PID:4252
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                            3⤵
                              PID:208
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                              3⤵
                                PID:1408
                              • C:\Windows\system32\reg.exe
                                reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
                                3⤵
                                  PID:2052
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
                                  3⤵
                                    PID:3540
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
                                    3⤵
                                      PID:724
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
                                      3⤵
                                        PID:1192
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
                                        3⤵
                                          PID:4188
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
                                          3⤵
                                            PID:3416
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
                                            3⤵
                                              PID:1624
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
                                              3⤵
                                                PID:1512
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
                                                3⤵
                                                  PID:3892
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
                                                  3⤵
                                                    PID:3664
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
                                                    3⤵
                                                      PID:3196
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
                                                      3⤵
                                                        PID:448
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
                                                        3⤵
                                                          PID:3208
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
                                                          3⤵
                                                            PID:4768
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
                                                            3⤵
                                                              PID:2084
                                                            • C:\Windows\system32\reg.exe
                                                              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
                                                              3⤵
                                                                PID:3572
                                                              • C:\Windows\system32\reg.exe
                                                                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
                                                                3⤵
                                                                  PID:4104
                                                                • C:\Windows\system32\reg.exe
                                                                  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
                                                                  3⤵
                                                                    PID:2568
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
                                                                    3⤵
                                                                      PID:2320
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
                                                                      3⤵
                                                                        PID:3392
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
                                                                        3⤵
                                                                          PID:3960
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
                                                                          3⤵
                                                                            PID:1196
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
                                                                            3⤵
                                                                              PID:3864
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
                                                                              3⤵
                                                                                PID:3788
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r23571 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:4240
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r11624 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:2780
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be2185} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:2208
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee6518-4274-14890-10415} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:1560
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe4869-3649-6662-14780} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:4660
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r7987 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:1604
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r14323 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:3656
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3445 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:1556
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd31774-14153-12867-13851} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:772
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE7602} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:1032
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22847-11408-18915-28806} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:3980
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29558-28170-31825-32483} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:2744
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 14506 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:1156
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 10706 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:4468
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 4628 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:2748
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 8331-28706-24157-21211 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:2432
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30015 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:2236
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5673-17434-19818-26756} /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:672
                                                                              • C:\Windows\system32\reg.exe
                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24770-3924-8685-8871 /f
                                                                                3⤵
                                                                                • Modifies registry key
                                                                                PID:1860
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                3⤵
                                                                                  PID:4760
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
                                                                                  3⤵
                                                                                    PID:1876
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
                                                                                    3⤵
                                                                                      PID:5032
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
                                                                                      3⤵
                                                                                        PID:4652
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
                                                                                        3⤵
                                                                                          PID:532
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
                                                                                          3⤵
                                                                                            PID:4140
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                                                                                            3⤵
                                                                                              PID:5008
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                              3⤵
                                                                                                PID:4380
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                                                3⤵
                                                                                                  PID:928
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
                                                                                                  3⤵
                                                                                                    PID:4512
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
                                                                                                    3⤵
                                                                                                      PID:4168
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
                                                                                                      3⤵
                                                                                                        PID:3080
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
                                                                                                        3⤵
                                                                                                          PID:4120
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 31896 /f
                                                                                                          3⤵
                                                                                                            PID:3608
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 2393 /f
                                                                                                            3⤵
                                                                                                              PID:4116
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 18060 /f
                                                                                                              3⤵
                                                                                                              • Modifies registry key
                                                                                                              PID:2948
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 2815 /f
                                                                                                              3⤵
                                                                                                              • Modifies registry key
                                                                                                              PID:4616
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
                                                                                                              3⤵
                                                                                                                PID:2844
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac5684 /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:4608
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-17628 /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:4108
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac31295} /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:1100
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-16242-882-29080-23012} /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:4256
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-9530-8502-4918-19343} /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:4200
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30441 /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:3128
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                                                3⤵
                                                                                                                  PID:4656
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 14683 /f
                                                                                                                  3⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:4644
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 8049 /f
                                                                                                                  3⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:620
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
                                                                                                                  3⤵
                                                                                                                    PID:64
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
                                                                                                                    3⤵
                                                                                                                      PID:2564
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
                                                                                                                      3⤵
                                                                                                                        PID:2324
                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
                                                                                                                        3⤵
                                                                                                                          PID:2460
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
                                                                                                                          3⤵
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:2864
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
                                                                                                                          3⤵
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:4516
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
                                                                                                                          3⤵
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:3756
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
                                                                                                                          3⤵
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:3268
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
                                                                                                                          3⤵
                                                                                                                          • Checks processor information in registry
                                                                                                                          PID:3444
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
                                                                                                                          3⤵
                                                                                                                            PID:3612

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat

                                                                                                                        Filesize

                                                                                                                        227KB

                                                                                                                        MD5

                                                                                                                        873801eea220f0bab74d86c1eaa30361

                                                                                                                        SHA1

                                                                                                                        c5c91e41c37e53b94ba899694e95949f1bca07be

                                                                                                                        SHA256

                                                                                                                        26a8eede65d9e6a1ab4c450f8dc4be010792c13483380aeb47ef082da8a278b3

                                                                                                                        SHA512

                                                                                                                        48a3039c93146af7f1102d5290cde08cb09c0a4d74500cf2df0050d6a68e728c3a2e00961221de05f376c044c0e223a10e2d2cf57a915662a929ba7e9345dc48