1a30aa1a7d5562799615d29430357d6bc8708d3ad1d0408ee09fbf3ce29846bd

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	powershell.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	pnputil.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	pnputil.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	pnputil.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	pnputil.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4024	Visual.exe
1640	Visual.exe
1984	Visual.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\IME\permissions.bat	Activation.exe
File created	C:\Windows\IME\permissions.bat	Activation.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File created	C:\Windows\IME\permissions.bat	Activation.exe
File created	C:\Windows\IME\reset.bat	Activation.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\IME\reset.bat	Activation.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000023b82-131.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reset-all.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	restart.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2964	reg.exe
4496	reg.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceType	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	pnputil.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0018	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	pnputil.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pnputil.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powershell.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Security	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0010	pnputil.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	pnputil.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000D	pnputil.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Exclusive	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	pnputil.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A	pnputil.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	powershell.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	pnputil.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	pnputil.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UINumberDescFormat	pnputil.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe

Kills process with taskkill 54 IoCs

evasion

pid	Process
3424	taskkill.exe
2416	taskkill.exe
1232	taskkill.exe
1196	taskkill.exe
3792	taskkill.exe
2412	taskkill.exe
392	taskkill.exe
4888	taskkill.exe
2272	taskkill.exe
3392	taskkill.exe
4888	taskkill.exe
3068	taskkill.exe
3704	taskkill.exe
364	taskkill.exe
2376	taskkill.exe
3648	taskkill.exe
4212	taskkill.exe
4924	taskkill.exe
4884	taskkill.exe
3728	taskkill.exe
1244	taskkill.exe
4732	taskkill.exe
2440	taskkill.exe
1612	taskkill.exe
712	taskkill.exe
2968	taskkill.exe
4892	taskkill.exe
800	taskkill.exe
4596	taskkill.exe
2748	taskkill.exe
1104	taskkill.exe
4888	taskkill.exe
1244	taskkill.exe
3992	taskkill.exe
1164	taskkill.exe
4896	taskkill.exe
792	taskkill.exe
4924	taskkill.exe
4836	taskkill.exe
4924	taskkill.exe
3184	taskkill.exe
2004	taskkill.exe
4560	taskkill.exe
4960	taskkill.exe
3376	taskkill.exe
1248	taskkill.exe
4376	taskkill.exe
3708	taskkill.exe
1908	taskkill.exe
1500	taskkill.exe
1816	taskkill.exe
1952	taskkill.exe
3204	taskkill.exe
3016	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4716	reg.exe
3512	reg.exe
1948	reg.exe
4400	reg.exe
1248	reg.exe
3380	reg.exe
848	reg.exe
4168	reg.exe
3204	reg.exe
4572	reg.exe
3740	reg.exe
556	reg.exe
3636	reg.exe
1524	reg.exe
4560	reg.exe
792	reg.exe
3148	reg.exe
4972	reg.exe
3424	reg.exe
1080	reg.exe
3712	reg.exe
4852	reg.exe
1612	reg.exe
2596	reg.exe
2412	reg.exe
4672	reg.exe
4556	reg.exe
3992	reg.exe
4664	reg.exe
1592	reg.exe
2292	reg.exe
4548	reg.exe
4408	reg.exe
2948	reg.exe
1908	reg.exe
392	reg.exe
2384	reg.exe
3880	reg.exe
2804	reg.exe
876	reg.exe
4888	reg.exe
3392	reg.exe
1852	reg.exe
580	reg.exe
800	reg.exe
4284	reg.exe
1244	reg.exe
1640	reg.exe
4740	reg.exe
1136	reg.exe
532	reg.exe
1860	reg.exe
908	reg.exe
396	reg.exe
1744	reg.exe
2808	reg.exe
4040	reg.exe
448	reg.exe
2004	reg.exe
64	reg.exe
4584	reg.exe
4012	reg.exe
3760	reg.exe
3716	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	powershell.exe
1200	powershell.exe
3520	powershell.exe
3520	powershell.exe
2076	powershell.exe
2076	powershell.exe
3048	powershell.exe
3048	powershell.exe
4284	powershell.exe
4284	powershell.exe
2376	powershell.exe
2376	powershell.exe
2968	powershell.exe
2968	powershell.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1624	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1336	restart64.exe
1104	powershell.exe
1104	powershell.exe
2364	powershell.exe
2364	powershell.exe
4960	powershell.exe
4960	powershell.exe
1616	powershell.exe
1616	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3680	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3680	7zFM.exe
Token: 35	3680	7zFM.exe
Token: SeSecurityPrivilege	3680	7zFM.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3680	7zFM.exe
3680	7zFM.exe
1336	restart64.exe
1624	restart64.exe
1336	restart64.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
996	CRU.exe
996	CRU.exe
3852	reset-all.exe
1336	restart64.exe
5000	restart.exe
1624	restart64.exe
4364	RunAll.exe
4152	RunAll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2444	992	cmd.exe	111
PID 992 wrote to memory of 2444	992	cmd.exe	111
PID 992 wrote to memory of 4016	992	cmd.exe	112
PID 992 wrote to memory of 4016	992	cmd.exe	112
PID 992 wrote to memory of 3492	992	cmd.exe	113
PID 992 wrote to memory of 3492	992	cmd.exe	113
PID 992 wrote to memory of 1696	992	cmd.exe	114
PID 992 wrote to memory of 1696	992	cmd.exe	114
PID 992 wrote to memory of 3844	992	cmd.exe	115
PID 992 wrote to memory of 3844	992	cmd.exe	115
PID 992 wrote to memory of 4928	992	cmd.exe	116
PID 992 wrote to memory of 4928	992	cmd.exe	116
PID 992 wrote to memory of 4260	992	cmd.exe	117
PID 992 wrote to memory of 4260	992	cmd.exe	117
PID 992 wrote to memory of 4908	992	cmd.exe	118
PID 992 wrote to memory of 4908	992	cmd.exe	118
PID 992 wrote to memory of 4732	992	cmd.exe	119
PID 992 wrote to memory of 4732	992	cmd.exe	119
PID 4036 wrote to memory of 2016	4036	cmd.exe	122
PID 4036 wrote to memory of 2016	4036	cmd.exe	122
PID 2016 wrote to memory of 3576	2016	net.exe	123
PID 2016 wrote to memory of 3576	2016	net.exe	123
PID 4036 wrote to memory of 1200	4036	cmd.exe	124
PID 4036 wrote to memory of 1200	4036	cmd.exe	124
PID 1200 wrote to memory of 4792	1200	powershell.exe	126
PID 1200 wrote to memory of 4792	1200	powershell.exe	126
PID 1200 wrote to memory of 4560	1200	powershell.exe	127
PID 1200 wrote to memory of 4560	1200	powershell.exe	127
PID 1200 wrote to memory of 1940	1200	powershell.exe	128
PID 1200 wrote to memory of 1940	1200	powershell.exe	128
PID 3028 wrote to memory of 3620	3028	Activation.exe	131
PID 3028 wrote to memory of 3620	3028	Activation.exe	131
PID 3028 wrote to memory of 2940	3028	Activation.exe	132
PID 3028 wrote to memory of 2940	3028	Activation.exe	132
PID 3028 wrote to memory of 1848	3028	Activation.exe	133
PID 3028 wrote to memory of 1848	3028	Activation.exe	133
PID 3028 wrote to memory of 3172	3028	Activation.exe	134
PID 3028 wrote to memory of 3172	3028	Activation.exe	134
PID 3028 wrote to memory of 4436	3028	Activation.exe	135
PID 3028 wrote to memory of 4436	3028	Activation.exe	135
PID 3028 wrote to memory of 4856	3028	Activation.exe	136
PID 3028 wrote to memory of 4856	3028	Activation.exe	136
PID 3028 wrote to memory of 1136	3028	Activation.exe	137
PID 3028 wrote to memory of 1136	3028	Activation.exe	137
PID 3028 wrote to memory of 4848	3028	Activation.exe	138
PID 3028 wrote to memory of 4848	3028	Activation.exe	138
PID 3028 wrote to memory of 4724	3028	Activation.exe	139
PID 3028 wrote to memory of 4724	3028	Activation.exe	139
PID 3028 wrote to memory of 3488	3028	Activation.exe	140
PID 3028 wrote to memory of 3488	3028	Activation.exe	140
PID 3028 wrote to memory of 4816	3028	Activation.exe	141
PID 3028 wrote to memory of 4816	3028	Activation.exe	141
PID 3028 wrote to memory of 3720	3028	Activation.exe	142
PID 3028 wrote to memory of 3720	3028	Activation.exe	142
PID 3028 wrote to memory of 1488	3028	Activation.exe	143
PID 3028 wrote to memory of 1488	3028	Activation.exe	143
PID 3028 wrote to memory of 3328	3028	Activation.exe	144
PID 3028 wrote to memory of 3328	3028	Activation.exe	144
PID 3028 wrote to memory of 2396	3028	Activation.exe	145
PID 3028 wrote to memory of 2396	3028	Activation.exe	145
PID 3028 wrote to memory of 2896	3028	Activation.exe	146
PID 3028 wrote to memory of 2896	3028	Activation.exe	146
PID 2896 wrote to memory of 4424	2896	cmd.exe	147
PID 2896 wrote to memory of 4424	2896	cmd.exe	147

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Visual Services Spoofer.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4652

C:\Users\Admin\Desktop\Visual Services Spoofer\Visual.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Visual.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Serials_Checker.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\system32\mode.com
  mode con: cols=90 lines=48
  2⤵
  PID:2444
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:1696
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:3844
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:4928
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:4260
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:4908
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description,PNPDeviceID
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Drive_Remover.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\net.exe
  NET FILE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 FILE
    3⤵
    PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\Desktop\Visual Services Spoofer\Drive_Remover.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"
  2⤵
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\pnputil.exe
    "C:\Windows\system32\pnputil.exe" /remove-device "SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 2&1f4adffe&0&000002" /force
    3⤵
    PID:4792
- - C:\Windows\system32\pnputil.exe
    "C:\Windows\system32\pnputil.exe" /remove-device SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 /force
    3⤵
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:4560
- - C:\Windows\system32\pnputil.exe
    "C:\Windows\system32\pnputil.exe" /remove-device SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 /force
    3⤵
    - Maps connected drives based on registry
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:1940

C:\Users\Admin\Desktop\Visual Services Spoofer\Activation.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Activation.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Windows Activation Fix
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0b
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
  2⤵
  PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Starting...
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\sppsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4424
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2964
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\spp /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Applying permissions...
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
  2⤵
  PID:4264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
  2⤵
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
  2⤵
  PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
  2⤵
  PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
  2⤵
  PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
  2⤵
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
  2⤵
  PID:3768
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:1536
- - C:\Windows\system32\net.exe
    net start sppsvc
    3⤵
    PID:3624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc
      4⤵
      PID:1464
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs /rilc
    3⤵
    PID:3084

C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\CRU.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\CRU.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:996

C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\reset-all.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\reset-all.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\restart64.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\restart64.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x320
1⤵
PID:2228

C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\restart.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\restart.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5000
- C:\Users\Admin\Desktop\Visual Services Spoofer\cru-1.5.2\restart64.exe
  restart64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1624

C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\RunAll.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\RunAll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4364
- C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\RunAll.exe
  "C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\RunAll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Cleaner1.bat"
    3⤵
    PID:2176
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      4⤵
      Kills process with taskkill
      PID:4924
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicWebHelper.exe
      4⤵
      Kills process with taskkill
      PID:800
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      4⤵
      Kills process with taskkill
      PID:1244
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      4⤵
      Kills process with taskkill
      PID:3204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      4⤵
      Kills process with taskkill
      PID:792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:2412
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      4⤵
      Kills process with taskkill
      PID:2748
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService.exe
      4⤵
      Kills process with taskkill
      PID:3708
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEServices.exe
      4⤵
      Kills process with taskkill
      PID:1908
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BattleEye.exe
      4⤵
      Kills process with taskkill
      PID:1104
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
      4⤵
      PID:2012
  - - C:\Windows\system32\reg.exe
      reg delete "HKCU\SOFTWARE\Epic Games" /f
      4⤵
      PID:4356
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:3560
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
      4⤵
      PID:2332
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
      4⤵
      PID:5056
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
      4⤵
      PID:408
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
      4⤵
      PID:3028
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
      4⤵
      PID:1396
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
      4⤵
      PID:1688
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
      4⤵
      PID:3736
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:2868
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
      4⤵
      PID:2280
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
      4⤵
      PID:4840
  - - C:\Windows\system32\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
      4⤵
      PID:3164
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\com.epicgames.eos" /f
      4⤵
      PID:744
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
      4⤵
      PID:3264
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\EpicGames" /f
      4⤵
      PID:1392
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
      4⤵
      PID:3520
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Cleaner2.bat"
    3⤵
    PID:2424
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:1152
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BEService /f
      4⤵
      PID:2884
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:1540
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EasyAntiCheat /f
      4⤵
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Cleaner3.bat"
    3⤵
    PID:1808
  - - C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:2076
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      4⤵
      Kills process with taskkill
      PID:364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicWebHelper.exe
      4⤵
      Kills process with taskkill
      PID:1164
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      4⤵
      Kills process with taskkill
      PID:4888
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      4⤵
      Kills process with taskkill
      PID:2968
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      4⤵
      Kills process with taskkill
      PID:3648
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:4924
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      4⤵
      Kills process with taskkill
      PID:1952
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService.exe
      4⤵
      Kills process with taskkill
      PID:4212
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEServices.exe
      4⤵
      Kills process with taskkill
      PID:392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BattleEye.exe
      4⤵
      Kills process with taskkill
      PID:1500
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
      4⤵
      PID:1136
  - - C:\Windows\system32\reg.exe
      reg delete "HKCU\SOFTWARE\Epic Games" /f
      4⤵
      PID:4596
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:2748
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
      4⤵
      PID:4780
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
      4⤵
      PID:1052
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
      4⤵
      PID:996
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
      4⤵
      PID:1428
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
      4⤵
      PID:4256
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
      4⤵
      PID:2356
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
      4⤵
      PID:4724
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:1312
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
      4⤵
      PID:3680
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
      4⤵
      PID:5056
  - - C:\Windows\system32\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
      4⤵
      PID:3012
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\com.epicgames.eos" /f
      4⤵
      PID:4300
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
      4⤵
      PID:1396
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
      4⤵
      PID:1688
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Cleaner4.bat"
    3⤵
    PID:2864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
      4⤵
      Kills process with taskkill
      PID:3992
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
      4⤵
      Kills process with taskkill
      PID:2440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
      4⤵
      Kills process with taskkill
      PID:4892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
      4⤵
      Kills process with taskkill
      PID:4376
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
      4⤵
      Kills process with taskkill
      PID:4896
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:1412
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:4180
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
      4⤵
      PID:2664
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
      4⤵
      PID:4604
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
      4⤵
      PID:1652
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:3552
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:4468
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
      4⤵
      PID:5020
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
      4⤵
      PID:4060
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
      4⤵
      PID:1168
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
      4⤵
      PID:2100
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 32759-22715 /f
      4⤵
      PID:2528
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 9398-16671 /f
      4⤵
      Modifies registry key
      PID:1640
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac8515} /f
      4⤵
      Modifies registry key
      PID:448
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {32105-23860-25427-6630-12041} /f
      4⤵
      Modifies registry key
      PID:2948
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {18939-6981-28021-24426-24561} /f
      4⤵
      Modifies registry key
      PID:1080
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 27480-12701 /f
      4⤵
      Modifies registry key
      PID:2292
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 14100-10445 /f
      4⤵
      Modifies registry key
      PID:2384
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 27767-14694 /f
      4⤵
      PID:4496
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 9086-26745-28146-1465-5505 /f
      4⤵
      PID:3840
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 12731-18312-7969-1037-11797 /f
      4⤵
      Modifies registry key
      PID:2004
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 4549-15566-1819-7402 /f
      4⤵
      Modifies registry key
      PID:1852
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 14478 /f
      4⤵
      Modifies registry key
      PID:64
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {23775-7906-19937-7162} /f
      4⤵
      Modifies registry key
      PID:4740
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
      4⤵
      PID:3592
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:2908
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:4216
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
      4⤵
      PID:3648
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
      4⤵
      PID:1244
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
      4⤵
      PID:768
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
      4⤵
      PID:1816
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
      4⤵
      PID:2344
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
      4⤵
      PID:1252
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
      4⤵
      PID:4836
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:3792
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:4860
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
      4⤵
      PID:3068
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
      4⤵
      PID:4716
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
      4⤵
      PID:4564
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
      4⤵
      PID:696
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
      4⤵
      PID:4448
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
      4⤵
      PID:3708
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
      4⤵
      PID:1924
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ---- /f
      4⤵
      PID:3636
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ---- /f
      4⤵
      PID:1908
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
      4⤵
      PID:3700
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
      4⤵
      PID:428
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
      4⤵
      PID:5016
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
      4⤵
      PID:2620
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 12769 /f
      4⤵
      PID:2332
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 31566 /f
      4⤵
      PID:408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d ---- /f
      4⤵
      PID:3028
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 6799-13155-2450-22446-9040 /f
      4⤵
      Modifies registry key
      PID:3740
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 26301-4331-16045-21365-4647 /f
      4⤵
      PID:3084
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 6494-19075 /f
      4⤵
      Modifies registry key
      PID:4672
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 28837 /f
      4⤵
      Modifies registry key
      PID:396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 26560-17245-13676-14717 /f
      4⤵
      Modifies registry key
      PID:3712
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS9148 /f
      4⤵
      Modifies registry key
      PID:4556
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 12827-20057 /f
      4⤵
      PID:1420
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS22394 /f
      4⤵
      Modifies registry key
      PID:4584
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 18103-11414 /f
      4⤵
      Modifies registry key
      PID:3992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 9702 /f
      4⤵
      Modifies registry key
      PID:4012
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 10265-19016 /f
      4⤵
      Modifies registry key
      PID:3880
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 20437 /f
      4⤵
      Modifies registry key
      PID:4548
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 1933-8508 /f
      4⤵
      Modifies registry key
      PID:2804
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {986-13934-4889-21712-10679} /f
      4⤵
      Modifies registry key
      PID:556
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {14668-2653-22445-11878-11695} /f
      4⤵
      Modifies registry key
      PID:2808
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {10021-s4029-26167-17524-3437} /f
      4⤵
      Modifies registry key
      PID:876
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac11617} /f
      4⤵
      Modifies registry key
      PID:1948
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {fefefee11036-28311-11729-21520} /f
      4⤵
      Modifies registry key
      PID:4168
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 29370 /f
      4⤵
      Modifies registry key
      PID:4852
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 27382 /f
      4⤵
      Modifies registry key
      PID:3760
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 11333 /f
      4⤵
      PID:1092
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 13890 /f
      4⤵
      Modifies registry key
      PID:1744
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {2752-24920-7942-10380-28536} /f
      4⤵
      Modifies registry key
      PID:4400
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
      4⤵
      PID:1528
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
      4⤵
      PID:4748
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
      4⤵
      PID:868
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
      4⤵
      PID:1800
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
      4⤵
      PID:4344
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:4896
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
      4⤵
      PID:912
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
      4⤵
      PID:2468
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
      4⤵
      PID:4180
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
      4⤵
      PID:1604
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
      4⤵
      PID:4756
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
      4⤵
      Checks processor information in registry
      PID:4348
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:1944
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
      4⤵
      PID:4504
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
      4⤵
      PID:1060
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:3460
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
      4⤵
      PID:4060
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
      4⤵
      PID:1168
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
      4⤵
      PID:2100
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
      4⤵
      PID:2884
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
      4⤵
      PID:468
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
      4⤵
      PID:4944
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
      4⤵
      PID:2424
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
      4⤵
      PID:4832
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
      4⤵
      PID:1080
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
      4⤵
      PID:2292
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
      4⤵
      PID:2384
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4496
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
      4⤵
      PID:3840
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
      4⤵
      PID:2004
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
      4⤵
      PID:1852
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
      4⤵
      PID:4888
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
      4⤵
      PID:1736
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
      4⤵
      PID:1880
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
      4⤵
      PID:4192
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
      4⤵
      PID:4440
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
      4⤵
      PID:5100
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
      4⤵
      PID:3688
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
      4⤵
      PID:3620
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
      4⤵
      PID:4824
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
      4⤵
      PID:436
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
      4⤵
      PID:2288
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
      4⤵
      PID:796
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
      4⤵
      PID:4100
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
      4⤵
      PID:2908
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
      4⤵
      PID:4216
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
      4⤵
      PID:3648
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
      4⤵
      PID:2892
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
      4⤵
      PID:3576
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
      4⤵
      PID:2416
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
      4⤵
      PID:3344
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
      4⤵
      PID:848
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
      4⤵
      PID:4660
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
      4⤵
      PID:1536
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
      4⤵
      PID:392
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
      4⤵
      PID:792
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
      4⤵
      PID:3180
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
      4⤵
      PID:2652
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
      4⤵
      PID:1792
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
      4⤵
      PID:2784
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
      4⤵
      PID:1984
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
      4⤵
      PID:3224
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
      4⤵
      PID:3048
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
      4⤵
      PID:1504
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
      4⤵
      PID:992
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
      4⤵
      PID:696
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
      4⤵
      PID:2748
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
      4⤵
      PID:4904
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
      4⤵
      PID:3380
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
      4⤵
      PID:4340
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
      4⤵
      PID:532
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
      4⤵
      PID:4352
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
      4⤵
      PID:3664
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
      4⤵
      PID:5112
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
      4⤵
      PID:4416
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
      4⤵
      PID:3560
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
      4⤵
      PID:4856
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
      4⤵
      PID:2764
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
      4⤵
      PID:4796
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
      4⤵
      PID:4424
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
      4⤵
      PID:3768
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
      4⤵
      PID:2280
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
      4⤵
      PID:2868
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
      4⤵
      PID:3712
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
      4⤵
      PID:4556
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
      4⤵
      PID:1420
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
      4⤵
      PID:4676
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
      4⤵
      PID:3308
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
      4⤵
      PID:2348
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
      4⤵
      PID:4336
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
      4⤵
      PID:2240
  - - C:\Windows\system32\reg.exe
      reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
      4⤵
      PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\Cleaner4.bat" "
1⤵
PID:4740
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  PID:1232
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  PID:1196
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  PID:3184
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  PID:4888
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  PID:2004
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3172
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:3704
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:2732
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:4924
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3096
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:944
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3376
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:4212
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 32475-5108 /f
  2⤵
  - Modifies registry key
  PID:1612
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 28079-20315 /f
  2⤵
  - Modifies registry key
  PID:3204
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac28651} /f
  2⤵
  - Modifies registry key
  PID:1248
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {18159-15220-17956-11914-22635} /f
  2⤵
  - Modifies registry key
  PID:580
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {31807-3149-2483-26687-27155} /f
  2⤵
  - Modifies registry key
  PID:4716
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 26394-6063 /f
  2⤵
  - Modifies registry key
  PID:3716
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 16737-15012 /f
  2⤵
  - Modifies registry key
  PID:1136
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 12737-4586 /f
  2⤵
  - Modifies registry key
  PID:4664
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 5732-31175-7700-8959-26431 /f
  2⤵
  - Modifies registry key
  PID:3148
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 26664-26719-23317-29776-12859 /f
  2⤵
  - Modifies registry key
  PID:3380
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 660-15982-25249-4981 /f
  2⤵
  - Modifies registry key
  PID:3636
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 31397 /f
  2⤵
  - Modifies registry key
  PID:532
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8765-30057-14779-8242} /f
  2⤵
  - Modifies registry key
  PID:1908
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:3700
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3680
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:396
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:3712
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:4504
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:576
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:364
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ---- /f
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ---- /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 19384 /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 214 /f
  2⤵
  PID:4584
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d ---- /f
  2⤵
  PID:1596
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 32027-11620-1391-31241-16314 /f
  2⤵
  - Modifies registry key
  PID:4972
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 30489-7900-18531-2573-26689 /f
  2⤵
  - Modifies registry key
  PID:800
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 2619-15359 /f
  2⤵
  - Modifies registry key
  PID:4408
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 14156 /f
  2⤵
  - Modifies registry key
  PID:4040
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 19591-3228-19839-17956 /f
  2⤵
  - Modifies registry key
  PID:4888
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS11829 /f
  2⤵
  - Modifies registry key
  PID:1860
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 13366-2828 /f
  2⤵
  - Modifies registry key
  PID:3424
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS8621 /f
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 19281-2302 /f
  2⤵
  - Modifies registry key
  PID:2596
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 22168 /f
  2⤵
  - Modifies registry key
  PID:4284
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 30363-26124 /f
  2⤵
  - Modifies registry key
  PID:1592
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 11128 /f
  2⤵
  - Modifies registry key
  PID:1244
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 22886-26808 /f
  2⤵
  - Modifies registry key
  PID:1524
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29790-21965-20685-15506-29418} /f
  2⤵
  - Modifies registry key
  PID:3512
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {29471-6201-18800-24359-16665} /f
  2⤵
  - Modifies registry key
  PID:908
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5234-s18315-7361-12234-25633} /f
  2⤵
  - Modifies registry key
  PID:4560
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac20091} /f
  2⤵
  - Modifies registry key
  PID:4572
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {fefefee19005-29619-31120-6128} /f
  2⤵
  PID:4732
- C:\Windows\system32\reg.exe
  REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 18653 /f
  2⤵
  - Modifies registry key
  PID:848
- C:\Windows\system32\reg.exe
  REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 32286 /f
  2⤵
  - Modifies registry key
  PID:792
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 433 /f
  2⤵
  - Modifies registry key
  PID:392
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 23202 /f
  2⤵
  - Modifies registry key
  PID:2412
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {31683-20402-15458-20875-600} /f
  2⤵
  - Modifies registry key
  PID:3392
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:4596
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:2652
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:4816
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:4352
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:4356
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:3560
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:2332
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:4300
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:3768
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:1636
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
  2⤵
  PID:1568
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
  2⤵
  PID:4556
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
  2⤵
  PID:4480
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
  2⤵
  PID:164
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2964
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
  2⤵
  PID:468
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\Cleaner3.bat" "
1⤵
PID:4648
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4040
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  PID:4888
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  PID:2272
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  PID:3704
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  PID:4924
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  PID:3016
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  PID:1816
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  PID:1612
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  PID:3792
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  PID:3068
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  PID:3392
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:3148
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3380
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:532
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:3664
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:428
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:220
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:396
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:3712
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\Cleaner2.bat" "
1⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Cleaners (order doesn't matter but if you want you can use it in this order)\Cleaner1.bat" "
1⤵
PID:2644
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  PID:3728
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  PID:4960
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  PID:3424
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  PID:2376
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  PID:1244
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  PID:712
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  PID:3376
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  PID:4836
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  PID:4732
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  PID:1248
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:4448
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:1924
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:4340
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:3700
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:5016
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:3560
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2332
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:408
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:3028
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\EpicGames" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:3188
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2864

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Serials_Checker.bat" "
1⤵
PID:4956
- C:\Windows\system32\mode.com
  mode con: cols=90 lines=48
  2⤵
  PID:1672
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  PID:4020
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:1528
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:3176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:4576
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:4088
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:1604
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:3056
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description,PNPDeviceID
  2⤵
  PID:1036

C:\Users\Admin\Desktop\Visual Services Spoofer\Visual.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Visual.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4944

C:\Users\Admin\Desktop\Visual Services Spoofer\Visual.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Visual.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Visual Services Spoofer\Drive_Remover.bat" "
1⤵
PID:1052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1924
- C:\Windows\system32\net.exe
  NET FILE
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 FILE
    3⤵
    PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\Desktop\Visual Services Spoofer\Drive_Remover.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- - C:\Windows\system32\pnputil.exe
    "C:\Windows\system32\pnputil.exe" /remove-device "SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 2&1f4adffe&0&000002" /force
    3⤵
    PID:1628

C:\Users\Admin\Desktop\Visual Services Spoofer\Activation.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Activation.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Windows Activation Fix
  2⤵
  PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0b
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
  2⤵
  PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Starting...
  2⤵
  PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
  2⤵
  PID:2636
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\sppsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1060
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4908
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\spp /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Applying permissions...
  2⤵
  PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
  2⤵
  PID:3728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
  2⤵
  PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
  2⤵
  PID:768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
  2⤵
  PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1500

C:\Users\Admin\Desktop\Visual Services Spoofer\Activation.exe
"C:\Users\Admin\Desktop\Visual Services Spoofer\Activation.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Windows Activation Fix
  2⤵
  PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0b
  2⤵
  PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
  2⤵
  PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Starting...
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
  2⤵
  PID:4332
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\sppsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3380
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3992
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\spp /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Applying permissions...
  2⤵
  PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
  2⤵
  PID:4024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
  2⤵
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
  2⤵
  PID:880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
  2⤵
  PID:736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
  2⤵
  PID:1200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
  2⤵
  PID:3036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
  2⤵
  PID:516
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    PID:2840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:2292
- - C:\Windows\system32\net.exe
    net start sppsvc
    3⤵
    PID:2052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc
      4⤵
      PID:1540
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs /rilc
    3⤵
    PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery