Overview
overview
9Static
static
7Meta Unban...er.exe
windows7-x64
9Meta Unban...er.exe
windows10-2004-x64
9Meta Unban...EL.exe
windows7-x64
9Meta Unban...EL.exe
windows10-2004-x64
9Meta Unban...er.exe
windows7-x64
9Meta Unban...er.exe
windows10-2004-x64
9Meta Unban...er.exe
windows7-x64
8Meta Unban...er.exe
windows10-2004-x64
8Meta Unban...er.exe
windows7-x64
9Meta Unban...er.exe
windows10-2004-x64
9Meta Unban...er.bat
windows7-x64
8Meta Unban...er.bat
windows10-2004-x64
8Meta Unban...er.bat
windows7-x64
1Meta Unban...er.bat
windows10-2004-x64
1Meta Unban...er.exe
windows7-x64
7Meta Unban...er.exe
windows10-2004-x64
7Meta Unban...ol.bat
windows7-x64
8Meta Unban...ol.bat
windows10-2004-x64
8Meta Unban...an.exe
windows7-x64
1Meta Unban...an.exe
windows10-2004-x64
1Analysis
-
max time kernel
13s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 04:50
Behavioral task
behavioral1
Sample
Meta Unban/Cleaners/AppleCleaner.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Meta Unban/Cleaners/AppleCleaner.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Meta Unban/Cleaners/AppleS5-DEL.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Meta Unban/Cleaners/AppleS5-DEL.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Meta Unban/Cleaners/BadwareCleaner.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Meta Unban/Cleaners/BadwareCleaner.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Meta Unban/Cleaners/BadwareDeepCleaner.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Meta Unban/Cleaners/BadwareDeepCleaner.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Meta Unban/Cleaners/EventCleaner.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Meta Unban/Cleaners/EventCleaner.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
Meta Unban/Cleaners/Fivem-Cleaner.bat
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Meta Unban/Cleaners/Fivem-Cleaner.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Meta Unban/Cleaners/FortniteCleaner.bat
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
Meta Unban/Cleaners/FortniteCleaner.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Meta Unban/Cleaners/NXTcleaner.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
Meta Unban/Cleaners/NXTcleaner.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Meta Unban/Cleaners/full deep cleaner by nigga mhatt lol.bat
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
Meta Unban/Cleaners/full deep cleaner by nigga mhatt lol.bat
Resource
win10v2004-20230221-en
Behavioral task
behavioral19
Sample
Meta Unban/Meta Unban.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
Meta Unban/Meta Unban.exe
Resource
win10v2004-20230220-en
General
-
Target
Meta Unban/Cleaners/NXTcleaner.exe
-
Size
3.2MB
-
MD5
644399a0aff07bd4f7dc1eb5aa5c0236
-
SHA1
243f1f7bb95af8d3c44a270772f408c6febb06af
-
SHA256
5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758
-
SHA512
73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508
-
SSDEEP
49152:MVmDUcyg2ImpoHJSt6Ia+CZEV2o8vMT3/nwlU5igpWV7JEW8np2Klad4j0Vs:MsgcypOSUI+qmJo+QZladTV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NXTcleaner.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation NXTcleaner.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.execmd.exedescription ioc process File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA34B2~1.MUM cmd.exe File opened for modification C:\Windows\INF\c_computeaccelerator.inf cmd.exe File opened for modification C:\Windows\INF\BITS\0409\bitsctrs.ini cmd.exe File opened for modification C:\Windows\INF\machine.inf cmd.exe File opened for modification C:\Windows\INF\pnpxinternetgatewaydevices.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA1CBF~1.MUM cmd.exe File opened for modification C:\Windows\INF\netv1x64.inf cmd.exe File opened for modification C:\Windows\INF\wave.inf cmd.exe File opened for modification C:\Windows\INF\wsynth3dvsc.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA9B20~1.MUM cmd.exe File opened for modification C:\Windows\INF\c_diskdrive.inf cmd.exe File opened for modification C:\Windows\INF\UGTHRSVC\0409\gthrctr.ini cmd.exe File opened for modification C:\Windows\INF\fidohid.inf cmd.exe File opened for modification C:\Windows\INF\hdaudss.inf cmd.exe File opened for modification C:\Windows\INF\xusb22.inf cmd.exe File opened for modification C:\Windows\INF\usbcir.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA004D~1.MUM cmd.exe File opened for modification C:\Windows\INF\ialpssi_i2c.inf cmd.exe File opened for modification C:\Windows\INF\microsoft_bluetooth_a2dp_snk.inf cmd.exe File opened for modification C:\Windows\INF\multiprt.inf cmd.exe File opened for modification C:\Windows\INF\netrast.inf cmd.exe File opened for modification C:\Windows\INF\netvwifimp.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAE854~1.MUM cmd.exe File opened for modification C:\Windows\INF\SERVIC~1.0\0000\_ServiceModelEndpointPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\UGTHRSVC\040C\gthrctr.ini cmd.exe File opened for modification C:\Windows\INF\UGatherer\0407\gsrvctr.ini cmd.exe File opened for modification C:\Windows\INF\.NET Memory Cache 4.0\0000\netmemorycache_d.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA93EE~1.MUM cmd.exe File opened for modification C:\Windows\INF\megasr.inf cmd.exe File opened for modification C:\Windows\INF\usbhub\usbperfsym.h cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA190C~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAB7C5~1.MUM cmd.exe File opened for modification C:\Windows\INF\wvmic_heartbeat.inf cmd.exe File opened for modification C:\Windows\INF\bthleenum.inf cmd.exe File opened for modification C:\Windows\INF\netbrdg.inf cmd.exe File opened for modification C:\Windows\INF\TermService\0409\tslabels.ini cmd.exe File opened for modification C:\Windows\INF\c_multiportserial.inf cmd.exe File opened for modification C:\Windows\INF\dwup-noregkeys.inf cmd.exe File opened for modification C:\Windows\INF\hidscanner.inf cmd.exe File opened for modification C:\Windows\INF\umbus.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA3127~1.MUM cmd.exe File opened for modification C:\Windows\INF\.NET CLR Data\0000\_DataPerfCounters_d.ini cmd.exe File opened for modification C:\Windows\INF\c_cashdrawer.inf cmd.exe File opened for modification C:\Windows\INF\mdmetech.inf cmd.exe File opened for modification C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0407\PerfCounters_d.ini cmd.exe File opened for modification C:\Windows\INF\wnetvsc_vfpp.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\ACTION~1.XML cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA10D1~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC111~1.MUM cmd.exe File opened for modification C:\Windows\INF\mdmnttme.inf cmd.exe File opened for modification C:\Windows\INF\mdmsun2.inf cmd.exe File opened for modification C:\Windows\INF\ntprint.inf cmd.exe File opened for modification C:\Windows\INF\netr28ux.inf cmd.exe File opened for modification C:\Windows\INF\RemoteAccess\0000\rasctrs.ini cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LA8848~1.MUM cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATST~2.MUM cmd.exe File opened for modification C:\Windows\INF\.NET CLR Data\0410\_DataPerfCounters_d.ini cmd.exe File opened for modification C:\Windows\INF\.NET CLR Networking 4.0.0.0\040C\_Networkingperfcounters_d.ini cmd.exe File opened for modification C:\Windows\INF\mdmdp2.inf cmd.exe File opened for modification C:\Windows\INF\mrvlpcie8897.inf cmd.exe File opened for modification C:\Windows\INF\c_dot4print.inf cmd.exe File opened for modification C:\Windows\INF\netmlx5.inf cmd.exe File opened for modification C:\Windows\INF\wfpcapture.inf cmd.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF8A7~1.MUM cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
reg.exemsedge.exereg.exeConhost.exedescription ioc process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Conhost.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "10763-12089-16219483" Conhost.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "10763-12089-16219483" reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "10760134131123" reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier reg.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4476 taskkill.exe 4980 taskkill.exe 496 taskkill.exe -
Modifies registry class 10 IoCs
Processes:
NXTcleaner.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\URL Protocol NXTcleaner.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\DefaultIcon NXTcleaner.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell\open\command NXTcleaner.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell NXTcleaner.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell\open NXTcleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864 NXTcleaner.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\ = "URL:Run game 812970075899428864 protocol" NXTcleaner.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meta Unban\\Cleaners\\NXTcleaner.exe" NXTcleaner.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meta Unban\\Cleaners\\NXTcleaner.exe" NXTcleaner.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1704 reg.exe 5072 reg.exe 1180 reg.exe 100 reg.exe 2952 reg.exe 2700 reg.exe 1456 reg.exe 3880 reg.exe 2396 reg.exe 4244 reg.exe 4276 reg.exe 4476 reg.exe 3512 reg.exe 1468 reg.exe 2708 reg.exe 4752 reg.exe 5004 reg.exe 2452 reg.exe 4132 reg.exe 1696 reg.exe 2764 reg.exe 3776 reg.exe 3632 reg.exe 820 reg.exe 5072 reg.exe 1104 reg.exe 4212 reg.exe 488 reg.exe 2396 reg.exe 4196 reg.exe 1052 reg.exe 4004 reg.exe 636 reg.exe 5084 reg.exe 4212 reg.exe 488 reg.exe 3840 reg.exe 2292 reg.exe 4400 reg.exe 652 reg.exe 4212 reg.exe 4500 reg.exe 100 reg.exe 2992 reg.exe 2396 reg.exe 4736 reg.exe 1468 reg.exe 1816 reg.exe 1964 reg.exe 848 reg.exe 4132 reg.exe 3936 reg.exe 1124 reg.exe 1972 reg.exe 3004 reg.exe 2116 reg.exe 4900 reg.exe 3820 reg.exe 1052 reg.exe 1172 reg.exe 1816 reg.exe 3040 reg.exe 1052 reg.exe 4360 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 3832 msedge.exe 3832 msedge.exe 3856 msedge.exe 3856 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NXTcleaner.exepid process 3656 NXTcleaner.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 3856 msedge.exe 3856 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4476 taskkill.exe Token: SeDebugPrivilege 4980 taskkill.exe Token: SeDebugPrivilege 496 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NXTcleaner.execmd.exemsedge.execmd.execmd.execmd.exedescription pid process target process PID 3656 wrote to memory of 1100 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1100 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2736 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2736 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3716 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3716 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3832 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3832 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 652 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 652 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3820 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3820 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4496 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4496 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1964 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1964 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3544 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3544 3656 NXTcleaner.exe cmd.exe PID 3544 wrote to memory of 3856 3544 cmd.exe msedge.exe PID 3544 wrote to memory of 3856 3544 cmd.exe msedge.exe PID 3856 wrote to memory of 1564 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 1564 3856 msedge.exe msedge.exe PID 3656 wrote to memory of 3848 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3848 3656 NXTcleaner.exe cmd.exe PID 3848 wrote to memory of 4476 3848 cmd.exe taskkill.exe PID 3848 wrote to memory of 4476 3848 cmd.exe taskkill.exe PID 3656 wrote to memory of 5084 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 5084 3656 NXTcleaner.exe cmd.exe PID 5084 wrote to memory of 4980 5084 cmd.exe taskkill.exe PID 5084 wrote to memory of 4980 5084 cmd.exe taskkill.exe PID 3656 wrote to memory of 2644 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2644 3656 NXTcleaner.exe cmd.exe PID 2644 wrote to memory of 496 2644 cmd.exe taskkill.exe PID 2644 wrote to memory of 496 2644 cmd.exe taskkill.exe PID 3656 wrote to memory of 876 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 876 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2832 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2832 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2240 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 2240 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1808 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1808 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4676 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4676 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 5056 3656 NXTcleaner.exe Conhost.exe PID 3656 wrote to memory of 5056 3656 NXTcleaner.exe Conhost.exe PID 3656 wrote to memory of 4236 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4236 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1116 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 1116 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4444 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 4444 3656 NXTcleaner.exe cmd.exe PID 3656 wrote to memory of 3836 3656 NXTcleaner.exe msedge.exe PID 3656 wrote to memory of 3836 3656 NXTcleaner.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 3580 3856 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\NXTcleaner.exe"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\NXTcleaner.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache2⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF2⤵
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://nxt.lol/2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nxt.lol/3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc820946f8,0x7ffc82094708,0x7ffc820947184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6ed865460,0x7ff6ed865470,0x7ff6ed8654805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:84⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-10757 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-10757 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 10760-1341-31123-9188 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {10760-%random} /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 10760134131123 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 10760 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 10760 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 10760134131123 /f3⤵
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {10760-1341-311239188} /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {10760-1341-311239188} /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {10763-12089-16219483} /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 10763-12089-16219483 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 10763-12089-16219483 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 10763-12089-16219483 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {10763-12089-16219483} /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.02⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f2⤵
- Checks processor information in registry
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {10763-12089-16219483} /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.02⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-10766 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 10766 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 10766 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-10766 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {10766-22838-1315-2454721501} /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {10766-22838-1315-2454721501} /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 10766 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 10766 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 10766 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 10766-22838-1315-24547 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 10770-818-19179-15842 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 10770-818-19179-15842 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 10770 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 10770 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 10770 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {10770-818-19179-15842} /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 10770-818-19179-1584231816 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f3⤵
- Enumerates system info in registry
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCR\com.epicgames.launcher /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 10776-22315-2213931201 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 10776-22315-2213931201 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 10776-22315-2213931201 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 10776-22315-2213931201 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 10776-22315-2213931201 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Enumerates system info in registry
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 10776-22315-2213931201 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 10780295723622496299922089156262407134518706229521234 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 10783-11044-2510013791 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 10783-11044-2510013791 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 10783-11044-2510013791 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Classes\Interface /v ClsidStore /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 10783-11044-2510013791 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 10783-11044-2510013791 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Hex-Rays\IDA\History /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f2⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Hex-Rays\IDA\History64 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f2⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1078621792101965087178539943218512932116006409199921322 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 10786217921019650871785399432185129321160064091999 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1078621792101965087178539943218512932116006409 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 107893254128060291502816713869249632639318112261185121366 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 107893254128060291502816713869249632639318112261185121366 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 107893254128060291502816713869249632639318112 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 107893254128060291502816713869249632639318112 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 107893254128060291502816713869249632639318112 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 107931052113156 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 107931052113156 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 107931052113156 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 107931052113156 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 107931052113156204455714177962807623466185526881170321410 /f3⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {10793-10521-1315620445} /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\IME\Cleaner.exe2⤵
-
C:\Windows\IME\Cleaner.exeC:\Windows\IME\Cleaner.exe3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E02~1Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C5~1Filesize
893B
MD5d4ae187b4574036c2d76b6df8a8c1a30
SHA1b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA5121f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E02~1Filesize
230B
MD598d2897450ff69f9be8a0141b6faccc0
SHA1c90a0ba7ed6b5d0d39ad656f2d644f7a0f4216e8
SHA25605e354da936187f1e4aa5a528478ec320780f93eaf0ad8033f8acbb27277ad21
SHA5126889ffb5bfff924cda0510a4de4ba4e54770b1b30763cc0558d475c2eed1d1672b8150dfeaf7c7fda9f375964fddccbdae7e5914be44334a07f3cba7bef5b999
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C5~1Filesize
252B
MD5c92ab58957ba84d179bfc937f625db4c
SHA11916bd7f565f4eebe70bc1d897943d4256eac547
SHA256ffa1083c4879fdd58af09e0e575250920b02e56019112e3916a1c3e83b28148b
SHA512f7a2278ecc652742042d8b690f27d57ee096d19ca68416e291dfc69529af4bcd7e9eeacffa43862592609486135ddc19d1c96c0ed20f0d258c7e6d7a04af25e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD53aa372689001b237d92266935083776d
SHA1854d9c6a480c5121be60801be90a2656e271bd50
SHA256a0d46d5faca199fd6ebf163c1adb552bb33b2118a197c52adcd57e87da9457d7
SHA51208cbce01455d7b9d35207eb83ee2d764b57aeb5828a59861979bce542e4864fab48d8525c2441306e0bd72b844996657057de70018994883c4a2c4ca97c7c119
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c43be34c368075f338ab382a1ebd8ff7
SHA1468a42088be057e2a57c72a27bfb993a3b814776
SHA2562c965c7a4b05d079cb57044f708a59e4952f7f249e31c5050a7b669df78d73ae
SHA5126ba3443302d5adefb717eda04e9152bf553b649027222233ce933d4c842986d737e719d033bda7b0a0f4fb74e5ae88a36a01c1bb0dd9f1e34f22a963ae2c6acd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD578664cc38fb5430c1415d900b06984ef
SHA1f6e3d7bcec1fa4350484f999817fd3e36f1cffd7
SHA256e06ec1c8bb629844867f059018c300afece6ca1b2470c8e1f09d5d25378a3c5d
SHA51281e2b6322d256673fa416758a402add410633832091a57bbe551efd166c638231a28dd3efec4b5030b6eef6b97a468c00b1a8c780d716cc5e35ee7318fe853cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD57d9bdd8f8a2e11b828297732b34cf781
SHA1d1f3fca0749d410cf3c8b8e8d619753d65bd2594
SHA2564d324cd7f3cb145ffa5d274962b693426380fd69cb7f94618ff7de47a6d9af39
SHA5126f241fa672129fdad6f6041fa1b0286749a3c0847beddaf8712f9a667355303f3f6609a21b23a1f78b36165f143ef9cf80d67d941dcf2e51f3e5bd90b827e74d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD567df2d7de50d2adbdfbcecd0ad709662
SHA150732db3c5618aa9ac024f039477c9199f9c4557
SHA25602733a2c90e5d88d6bca71e7d68e4f2ca397324fc77844631473f0a050068f58
SHA512368962e3ae7dfde23a0895176f6127c04196f6559e35c67c3e61f86fe071de80a23d10aef77f3eff26d342dcfd360ab4271e48b35ec7f787e1d70308a469ab3b
-
C:\Users\Admin\AppData\Local\Temp\7070cd16-a070-4de2-bc00-fdbaae24b59e.tmpFilesize
336KB
MD5811aa30f0f78027d6d5b7c05b5d0d43c
SHA1e44c36b10217394e99fbaf33c78dfbad6714f66b
SHA2563641f686c61b5c77f91fa3145471d75d534610f84db773e6224d2043ff9424fc
SHA51200feff18c071d30a0923a81395df8a851632fc5be99c18695dd6c2fca9ae298fc087322e62b5bddb215a7e689ec895876a1e45eff95856a76be77b20bf76dbdf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD51d3d3ade692fb6a9e026e0cd604d391c
SHA138d4c086fe6cb86de3c7d1936b312730a8ec42b0
SHA25610d90d7ef26cb345211770c1ed067419508164546935a11f8e2a029dec2f1f07
SHA512b15e3adbd5c68a4e3cb40eb4fd056925032386748669917645ae3a103be35f41af0edfd85de5fd08f7be3dc65f870604c625fe8bb94a2201c3c9ecebc6dc2de1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD526b15e6052e9b1b469e7f6466ad48563
SHA1fecc950f579b482fb2386a2ac15b3465c65f437a
SHA256a27f4884dffeb426a0390ea92568bf51045fa044a12f79e5d75658e909338c1f
SHA512d13679a2702729c412a2f81116b8a8142136bbe7426e53f1b9182b6340e3f3a6528ed047d919128bafa969e248e2920347c485a07af47af17e99e9402435eb77
-
C:\Windows\IME\Cleaner.exeFilesize
177KB
MD51b3a357945856b2186a82acf9ac66f21
SHA13fb0f26d19d861b888cebdaa36b09804d8109e91
SHA256df9539f46b9d48b3ee99546efaa31f8c3d205aa4a0f8e0f1f9f116a354b404f9
SHA512e0c31442d3cc896a2a6937b74cd7155501d4d342df3f0dd1d92e91973f0c549ba5cc7fe819e4aea5e9461dbdecd711e8f0440091ca130dd17e1713d25a5a5b4d
-
C:\Windows\IME\Cleaner.exeFilesize
177KB
MD51b3a357945856b2186a82acf9ac66f21
SHA13fb0f26d19d861b888cebdaa36b09804d8109e91
SHA256df9539f46b9d48b3ee99546efaa31f8c3d205aa4a0f8e0f1f9f116a354b404f9
SHA512e0c31442d3cc896a2a6937b74cd7155501d4d342df3f0dd1d92e91973f0c549ba5cc7fe819e4aea5e9461dbdecd711e8f0440091ca130dd17e1713d25a5a5b4d
-
C:\Windows\TEMP\MsEdgeCrashpad\settings.datFilesize
152B
MD59442f28ca4f9239ed5428d9210e3c175
SHA1a097e87a892d028e568f2f55fae7a32f3396ce03
SHA25687328fc0c45ad09258532f37f815b42b666908410659e5248b59546310e18882
SHA51209577651a672b6971a83704b4d9851672818a1193d2b24dbcd143284e60e5cfb0262e8cfd14135df40c37b7954ff436f57ff2a9001392ef3d925e33d0d8a5e21
-
C:\Windows\TEMP\MsEdgeCrashpad\throttle_store.datFilesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
\??\pipe\LOCAL\crashpad_3856_FTGYRKAGVDARPSLMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3656-133-0x0000000140000000-0x0000000140567000-memory.dmpFilesize
5.4MB