Analysis Overview
SHA256
7ad75a6780417178b6026fe7f18a38dcb455e60d0f09391bbb9de6d9487c0526
Threat Level: Likely malicious
The file VixenCleaner.exe was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Stops running service(s)
Executes dropped EXE
Network Service Discovery
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies registry key
Kills process with taskkill
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 13:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 13:48
Reported
2024-11-14 13:51
Platform
win7-20240708-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f fortnite* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f fortnite* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f easyantiche* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f easyantiche* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f beservice* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f beservice* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f epicweb* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f epicweb* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f epicgames* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f epicgames* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul
Network
Files
memory/2972-0-0x0000000140065000-0x0000000140390000-memory.dmp
memory/2972-3-0x0000000077620000-0x0000000077622000-memory.dmp
memory/2972-10-0x0000000077630000-0x0000000077632000-memory.dmp
memory/2972-8-0x0000000077630000-0x0000000077632000-memory.dmp
memory/2972-1-0x0000000077620000-0x0000000077622000-memory.dmp
memory/2972-14-0x0000000140000000-0x0000000140886000-memory.dmp
memory/2972-6-0x0000000077630000-0x0000000077632000-memory.dmp
memory/2972-5-0x0000000077620000-0x0000000077622000-memory.dmp
memory/2972-15-0x0000000140000000-0x0000000140886000-memory.dmp
memory/2972-16-0x0000000140065000-0x0000000140390000-memory.dmp
memory/2972-17-0x0000000140000000-0x0000000140886000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 13:48
Reported
2024-11-14 13:49
Platform
win10v2004-20241007-en
Max time kernel
18s
Max time network
26s
Command Line
Signatures
Deletes shadow copies
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\VolumeID.exe | N/A |
| N/A | N/A | C:\Windows\System32\VolumeID.exe | N/A |
Indicator Removal: File Deletion
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\VolumeID.exe | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\system32\reg.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f fortnite* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f fortnite* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f easyantiche* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f easyantiche* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f beservice* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f beservice* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f epicweb* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f epicweb* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f epicgames* /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f epicgames* /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im /f WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im /f WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop easyanticheat >nul 2>&1
C:\Windows\system32\sc.exe
sc stop easyanticheat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop easyanticheat_eos >nul 2>&1
C:\Windows\system32\sc.exe
sc stop easyanticheat_eos
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop easyanticheat_eossys >nul 2>&1
C:\Windows\system32\sc.exe
sc stop easyanticheat_eossys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop easyanticheat_sys >nul 2>&1
C:\Windows\system32\sc.exe
sc stop easyanticheat_sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop easyanticheatsys >nul 2>&1
C:\Windows\system32\sc.exe
sc stop easyanticheatsys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bedaisy >nul 2>&1
C:\Windows\system32\sc.exe
sc stop bedaisy
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&1
C:\Windows\system32\sc.exe
sc stop beservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&1
C:\Windows\system32\sc.exe
sc stop beservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&1
C:\Windows\system32\sc.exe
sc stop beservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete easyanticheat >nul 2>&1
C:\Windows\system32\sc.exe
sc delete easyanticheat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete easyanticheat_eos >nul 2>&1
C:\Windows\system32\sc.exe
sc delete easyanticheat_eos
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete easyanticheat_eossys >nul 2>&1
C:\Windows\system32\sc.exe
sc delete easyanticheat_eossys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete easyanticheat_sys >nul 2>&1
C:\Windows\system32\sc.exe
sc delete easyanticheat_sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete easyanticheatsys >nul 2>&1
C:\Windows\system32\sc.exe
sc delete easyanticheatsys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bedaisy >nul 2>&1
C:\Windows\system32\sc.exe
sc delete bedaisy
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&1
C:\Windows\system32\sc.exe
sc delete beservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&1
C:\Windows\system32\sc.exe
sc delete beservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&1
C:\Windows\system32\sc.exe
sc delete beservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\EpicGamesLauncher\" >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Khronos" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Khronos" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start /MIN "" "C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E4
C:\Windows\System32\VolumeID.exe
"C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F "C:\Windows\System32\VolumeID.exe" >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet >nul 2>&1
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /im WmiPrv* /f /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 8647-11229-26858-17858 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 8647-11229-26858-17858 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r8647 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r8650_2197811954.9154-270663188322873 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r8650_2197811954.9154-270663188322873 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v8650} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v8650} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee8650-21978-11954-9154} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa8650-21978-11954-9154} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r8650 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r8650 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r8650 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd8650-21978-11954-9154} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d 8650 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d 8650 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8650-21978-11954-9154} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 8650-21978-11954-9154 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8650-21978-11954-9154} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d %random% /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 8650 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8653-32726-29818-449} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8653-32726-29818-449} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&1
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
C:\Windows\system32\ARP.EXE
arp -d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
C:\Windows\System32\Wbem\WMIC.exe
WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/684-0-0x0000000140065000-0x0000000140390000-memory.dmp
memory/684-2-0x00007FFA7C7E0000-0x00007FFA7C7E2000-memory.dmp
memory/684-1-0x00007FFA7C7D0000-0x00007FFA7C7D2000-memory.dmp
memory/684-3-0x0000000140000000-0x0000000140886000-memory.dmp
memory/684-6-0x0000000140065000-0x0000000140390000-memory.dmp
C:\Windows\System32\VolumeID.exe
| MD5 | 81a45f1a91448313b76d2e6d5308aa7a |
| SHA1 | 0d615343d5de03da03bce52e11b233093b404083 |
| SHA256 | fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd |
| SHA512 | 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d |
memory/684-12-0x0000000140000000-0x0000000140886000-memory.dmp
memory/684-0-0x0000000140065000-0x0000000140390000-memory.dmp
memory/684-2-0x00007FFA7C7E0000-0x00007FFA7C7E2000-memory.dmp
memory/684-1-0x00007FFA7C7D0000-0x00007FFA7C7D2000-memory.dmp
memory/684-3-0x0000000140000000-0x0000000140886000-memory.dmp
memory/684-6-0x0000000140065000-0x0000000140390000-memory.dmp
memory/684-12-0x0000000140000000-0x0000000140886000-memory.dmp