87e343bc7a031476674f7c325bbdd6a702b135ba52cafd375a49eb228f84716e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant-Spoofer-main/Fortnite3.bat
Size

89KB
MD5

8961137a983fa231912f4bc4223eb98a
SHA1

c8255dc314c1ba17be62ecee84eb563cd1f7ba6f
SHA256

478d367d6dbd25ea41066981b91dd3610fc8f5279fe9f1a921565dbfe95d85f2
SHA512

f1566d474c8092fece0f8262e6931a8da443c429778e4e8fe2b60a67b167c021565ab4b29b6c9c1fe4b8958767745bf222ee3e8e65a66acf3073583bdf06d7eb
SSDEEP

768:1h9N5NS/kzRepbUNHgXCyLX874zp0mH3cK:F/NHg1874zp0ocK

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3836	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4996	ipconfig.exe
3640	ipconfig.exe
720	ipconfig.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
1516	taskkill.exe
1660	taskkill.exe
1868	taskkill.exe
1972	taskkill.exe
4528	taskkill.exe
1952	taskkill.exe
1512	taskkill.exe
3828	taskkill.exe
636	taskkill.exe
4064	taskkill.exe
4636	taskkill.exe
760	taskkill.exe

Modifies registry key 1 TTPs 33 IoCs

Modify Registry

T1112

pid	Process
1016	reg.exe
968	reg.exe
4660	reg.exe
452	reg.exe
2376	reg.exe
3024	reg.exe
1372	reg.exe
2280	reg.exe
964	reg.exe
4996	reg.exe
3092	reg.exe
2380	reg.exe
3396	reg.exe
2400	reg.exe
2084	reg.exe
4616	reg.exe
1012	reg.exe
3848	reg.exe
1344	reg.exe
2840	reg.exe
4744	reg.exe
220	reg.exe
1976	reg.exe
4444	reg.exe
2900	reg.exe
2296	reg.exe
4536	reg.exe
4988	reg.exe
1384	reg.exe
2268	reg.exe
4588	reg.exe
3924	reg.exe
4396	reg.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1972	768	cmd.exe	84
PID 768 wrote to memory of 1972	768	cmd.exe	84
PID 768 wrote to memory of 4064	768	cmd.exe	86
PID 768 wrote to memory of 4064	768	cmd.exe	86
PID 768 wrote to memory of 4636	768	cmd.exe	87
PID 768 wrote to memory of 4636	768	cmd.exe	87
PID 768 wrote to memory of 4528	768	cmd.exe	88
PID 768 wrote to memory of 4528	768	cmd.exe	88
PID 768 wrote to memory of 760	768	cmd.exe	89
PID 768 wrote to memory of 760	768	cmd.exe	89
PID 768 wrote to memory of 1016	768	cmd.exe	90
PID 768 wrote to memory of 1016	768	cmd.exe	90
PID 768 wrote to memory of 1344	768	cmd.exe	91
PID 768 wrote to memory of 1344	768	cmd.exe	91
PID 768 wrote to memory of 2840	768	cmd.exe	92
PID 768 wrote to memory of 2840	768	cmd.exe	92
PID 768 wrote to memory of 4744	768	cmd.exe	93
PID 768 wrote to memory of 4744	768	cmd.exe	93
PID 768 wrote to memory of 3024	768	cmd.exe	95
PID 768 wrote to memory of 3024	768	cmd.exe	95
PID 768 wrote to memory of 3092	768	cmd.exe	96
PID 768 wrote to memory of 3092	768	cmd.exe	96
PID 768 wrote to memory of 2900	768	cmd.exe	97
PID 768 wrote to memory of 2900	768	cmd.exe	97
PID 768 wrote to memory of 968	768	cmd.exe	98
PID 768 wrote to memory of 968	768	cmd.exe	98
PID 768 wrote to memory of 1372	768	cmd.exe	99
PID 768 wrote to memory of 1372	768	cmd.exe	99
PID 768 wrote to memory of 2296	768	cmd.exe	100
PID 768 wrote to memory of 2296	768	cmd.exe	100
PID 768 wrote to memory of 2268	768	cmd.exe	101
PID 768 wrote to memory of 2268	768	cmd.exe	101
PID 768 wrote to memory of 2280	768	cmd.exe	103
PID 768 wrote to memory of 2280	768	cmd.exe	103
PID 768 wrote to memory of 220	768	cmd.exe	104
PID 768 wrote to memory of 220	768	cmd.exe	104
PID 768 wrote to memory of 4588	768	cmd.exe	105
PID 768 wrote to memory of 4588	768	cmd.exe	105
PID 768 wrote to memory of 2380	768	cmd.exe	106
PID 768 wrote to memory of 2380	768	cmd.exe	106
PID 768 wrote to memory of 4536	768	cmd.exe	107
PID 768 wrote to memory of 4536	768	cmd.exe	107
PID 768 wrote to memory of 4988	768	cmd.exe	108
PID 768 wrote to memory of 4988	768	cmd.exe	108
PID 768 wrote to memory of 3396	768	cmd.exe	109
PID 768 wrote to memory of 3396	768	cmd.exe	109
PID 768 wrote to memory of 964	768	cmd.exe	110
PID 768 wrote to memory of 964	768	cmd.exe	110
PID 768 wrote to memory of 2376	768	cmd.exe	111
PID 768 wrote to memory of 2376	768	cmd.exe	111
PID 768 wrote to memory of 4996	768	cmd.exe	112
PID 768 wrote to memory of 4996	768	cmd.exe	112
PID 768 wrote to memory of 2400	768	cmd.exe	113
PID 768 wrote to memory of 2400	768	cmd.exe	113
PID 768 wrote to memory of 1976	768	cmd.exe	115
PID 768 wrote to memory of 1976	768	cmd.exe	115
PID 768 wrote to memory of 3924	768	cmd.exe	116
PID 768 wrote to memory of 3924	768	cmd.exe	116
PID 768 wrote to memory of 5108	768	cmd.exe	117
PID 768 wrote to memory of 5108	768	cmd.exe	117
PID 768 wrote to memory of 4616	768	cmd.exe	118
PID 768 wrote to memory of 4616	768	cmd.exe	118
PID 768 wrote to memory of 636	768	cmd.exe	119
PID 768 wrote to memory of 636	768	cmd.exe	119

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
636	attrib.exe
2708	attrib.exe
1664	attrib.exe
4124	attrib.exe
3452	attrib.exe
2592	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Valorant-Spoofer-main\Fortnite3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r26957 /f
  2⤵
  - Modifies registry key
  PID:1016
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r5679 /f
  2⤵
  - Modifies registry key
  PID:1344
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be29234} /f
  2⤵
  - Modifies registry key
  PID:2840
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee28768-20645-11033-18148} /f
  2⤵
  - Modifies registry key
  PID:4744
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe23355-27522-1398-32560} /f
  2⤵
  - Modifies registry key
  PID:3024
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r884 /f
  2⤵
  - Modifies registry key
  PID:3092
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r2493 /f
  2⤵
  - Modifies registry key
  PID:2900
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r18255 /f
  2⤵
  - Modifies registry key
  PID:968
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d r16454-6028-1448-28734 /f
  2⤵
  - Modifies registry key
  PID:1372
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d hello8109-23040-20116-19933 /f
  2⤵
  - Modifies registry key
  PID:2296
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 8674-13669-31895-20607 /f
  2⤵
  - Modifies registry key
  PID:2268
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 3138 /f
  2⤵
  - Modifies registry key
  PID:2280
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd22199-20876-6174-3625} /f
  2⤵
  - Modifies registry key
  PID:220
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE16879} /f
  2⤵
  - Modifies registry key
  PID:4588
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {19290-19861-1372-5331} /f
  2⤵
  - Modifies registry key
  PID:2380
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {11130-7183-24996-27666} /f
  2⤵
  - Modifies registry key
  PID:4536
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 6067 /f
  2⤵
  - Modifies registry key
  PID:4988
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 24256 /f
  2⤵
  - Modifies registry key
  PID:3396
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 27580 /f
  2⤵
  - Modifies registry key
  PID:964
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 7824-14376-22227-29549 /f
  2⤵
  - Modifies registry key
  PID:2376
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 17151-30357-32163-10488 /f
  2⤵
  - Modifies registry key
  PID:4996
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 13231-17110-18221-9652 /f
  2⤵
  - Modifies registry key
  PID:2400
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 1191 /f
  2⤵
  - Modifies registry key
  PID:1976
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {169-26822-26616-8180} /f
  2⤵
  - Modifies registry key
  PID:3924
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 692-30729-17979-31809 /f
  2⤵
  - Modifies registry key
  PID:4616
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h C:\desktop.ini
  2⤵
  - Views/modifies file attributes
  PID:636
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h D:\desktop.ini
  2⤵
  - Views/modifies file attributes
  PID:2708
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Views/modifies file attributes
  PID:1664
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h C:\Users\Admin\AppData\Local\Temp\9544ff7.tmp
  2⤵
  - Views/modifies file attributes
  PID:4124
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1660
- C:\Windows\system32\taskkill.exe
  taskkill /IM "EpicGamesLauncher.exe" /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:1884
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3080
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:2224
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:508
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1536
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:1532
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3560
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:3972
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2596
- C:\Windows\system32\attrib.exe
  attrib /s /d -s -h C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\*
  2⤵
  - Views/modifies file attributes
  PID:3452
- C:\Windows\system32\attrib.exe
  attrib /s /d -s -h C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\*
  2⤵
  - Views/modifies file attributes
  PID:2592
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:3572
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:3188
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:4904
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:936
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:4028
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
  2⤵
  - Enumerates system info in registry
  PID:3616
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
  2⤵
  - Enumerates system info in registry
  PID:2228
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  - Enumerates system info in registry
  PID:2824
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
  2⤵
  - Enumerates system info in registry
  PID:1560
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  - Enumerates system info in registry
  PID:4016
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:2428
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 14026 /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 30228 /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 7546 /f
  2⤵
  - Modifies registry key
  PID:4660
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 8616 /f
  2⤵
  - Modifies registry key
  PID:4396
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:4160
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 26474 /f
  2⤵
  - Modifies registry key
  PID:1012
- C:\Windows\system32\reg.exe
  REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 6900 /f
  2⤵
  - Modifies registry key
  PID:452
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 16091 /f
  2⤵
  - Modifies registry key
  PID:3848
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 28872 /f
  2⤵
  - Modifies registry key
  PID:1384
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r13960 /f
  2⤵
  - Modifies registry key
  PID:4444
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r30045 /f
  2⤵
  - Modifies registry key
  PID:2084
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3836
- C:\Windows\system32\netsh.exe
  netsh int ipv6 reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4252
- C:\Windows\system32\netsh.exe
  netsh winsock reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2268
- C:\Windows\system32\netsh.exe
  netsh int ip reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2380
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:720
- C:\Windows\system32\ipconfig.exe
  ipconfig /renew
  2⤵
  - Gathers network information
  PID:4996
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:3640
- C:\Windows\system32\taskkill.exe
  TASKkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\system32\taskkill.exe
  TASKkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\system32\taskkill.exe
  TASKkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\system32\taskkill.exe
  TASKkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\system32\taskkill.exe
  TASKkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\system32\reg.exe
  Reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4800
- C:\Windows\system32\taskkill.exe
  taskkill /IM "EpicGamesLauncher.exe" /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:1008
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:884