Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    62s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2024, 13:39

General

  • Target

    https://cdn.discordapp.com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof.exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 48 IoCs
  • Modifies registry key 1 TTPs 34 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof.exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd56f946f8,0x7ffd56f94708,0x7ffd56f94718
      2⤵
        PID:632
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:948
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
        2⤵
          PID:4520
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
          2⤵
            PID:220
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
            2⤵
              PID:2968
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
              2⤵
                PID:5052
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
                2⤵
                  PID:2028
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1396
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                  2⤵
                    PID:448
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                    2⤵
                      PID:3184
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                      2⤵
                        PID:2744
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
                        2⤵
                          PID:2224
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
                          2⤵
                            PID:4248
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
                            2⤵
                              PID:4408
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8
                              2⤵
                                PID:3132
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1904
                              • C:\Users\Admin\Downloads\2XL_Free_Spoof.exe
                                "C:\Users\Admin\Downloads\2XL_Free_Spoof.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • Drops file in Windows directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of SetWindowsHookEx
                                PID:64
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c color 04
                                  3⤵
                                    PID:3892
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
                                    3⤵
                                      PID:556
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /f /im epicgameslauncher.exe
                                        4⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4016
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c cls
                                      3⤵
                                        PID:3184
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cls
                                        3⤵
                                          PID:1636
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c cls
                                          3⤵
                                            PID:4700
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
                                            3⤵
                                              PID:1068
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /f /im KsDumperClient.exe
                                                4⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5088
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
                                              3⤵
                                                PID:1804
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /f /im KsDumper.exe
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3952
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
                                                3⤵
                                                  PID:5052
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /f /im HTTPDebuggerUI.exe
                                                    4⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4260
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
                                                  3⤵
                                                    PID:556
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /f /im HTTPDebuggerSvc.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3184
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
                                                    3⤵
                                                      PID:3708
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /f /im ProcessHacker.exe
                                                        4⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2428
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
                                                      3⤵
                                                        PID:2148
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /f /im idaq.exe
                                                          4⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3692
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
                                                        3⤵
                                                          PID:1592
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /f /im idaq64.exe
                                                            4⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2320
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
                                                          3⤵
                                                            PID:5012
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /f /im Wireshark.exe
                                                              4⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1636
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
                                                            3⤵
                                                              PID:4668
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im Fiddler.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:928
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
                                                              3⤵
                                                                PID:3544
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
                                                                3⤵
                                                                  PID:4960
                                                                  • C:\Windows\system32\taskkill.exe
                                                                    taskkill /f /im Xenos64.exe
                                                                    4⤵
                                                                    • Kills process with taskkill
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3528
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
                                                                  3⤵
                                                                    PID:1144
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /f /im Xenos.exe
                                                                      4⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3184
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
                                                                    3⤵
                                                                      PID:3112
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /f /im Xenos32.exe
                                                                        4⤵
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4636
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
                                                                      3⤵
                                                                        PID:4992
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /f /im de4dot.exe
                                                                          4⤵
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3692
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
                                                                        3⤵
                                                                          PID:5088
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            taskkill /f /im Cheat Engine.exe
                                                                            4⤵
                                                                            • Kills process with taskkill
                                                                            PID:2320
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
                                                                          3⤵
                                                                            PID:4700
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              taskkill /f /im cheatengine-x86_64.exe
                                                                              4⤵
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4312
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
                                                                            3⤵
                                                                              PID:1200
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
                                                                                4⤵
                                                                                • Kills process with taskkill
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4260
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
                                                                              3⤵
                                                                                PID:2944
                                                                                • C:\Windows\system32\taskkill.exe
                                                                                  taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
                                                                                  4⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3572
                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
                                                                                    5⤵
                                                                                    • Kills process with taskkill
                                                                                    PID:2944
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
                                                                                3⤵
                                                                                  PID:3016
                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                    taskkill /f /im MugenJinFuu-i386.exe
                                                                                    4⤵
                                                                                    • Kills process with taskkill
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4668
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
                                                                                  3⤵
                                                                                    PID:3544
                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                      taskkill /f /im cheatengine-x86_64.exe
                                                                                      4⤵
                                                                                      • Kills process with taskkill
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1696
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
                                                                                    3⤵
                                                                                      PID:4260
                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                        taskkill /f /im cheatengine-i386.exe
                                                                                        4⤵
                                                                                        • Kills process with taskkill
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1200
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
                                                                                      3⤵
                                                                                        PID:3572
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
                                                                                        3⤵
                                                                                          PID:448
                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                            taskkill /f /im KsDumper.exe
                                                                                            4⤵
                                                                                            • Kills process with taskkill
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4992
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
                                                                                          3⤵
                                                                                            PID:3952
                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                              taskkill /f /im OllyDbg.exe
                                                                                              4⤵
                                                                                              • Kills process with taskkill
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:4312
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
                                                                                            3⤵
                                                                                              PID:3892
                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                taskkill /f /im x64dbg.exe
                                                                                                4⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3568
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
                                                                                              3⤵
                                                                                                PID:4016
                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                  taskkill /f /im x32dbg.exe
                                                                                                  4⤵
                                                                                                  • Kills process with taskkill
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1592
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                                3⤵
                                                                                                  PID:1068
                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                    4⤵
                                                                                                    • Kills process with taskkill
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1904
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
                                                                                                  3⤵
                                                                                                    PID:4752
                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                      taskkill /f /im HTTPDebuggerUI.exe
                                                                                                      4⤵
                                                                                                      • Kills process with taskkill
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2428
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
                                                                                                    3⤵
                                                                                                      PID:2820
                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                        taskkill /f /im HTTPDebuggerSvc.exe
                                                                                                        4⤵
                                                                                                        • Kills process with taskkill
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1804
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
                                                                                                      3⤵
                                                                                                        PID:2280
                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                          taskkill /f /im Ida64.exe
                                                                                                          4⤵
                                                                                                          • Kills process with taskkill
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4636
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
                                                                                                        3⤵
                                                                                                          PID:3184
                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                            taskkill /f /im OllyDbg.exe
                                                                                                            4⤵
                                                                                                            • Kills process with taskkill
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4668
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
                                                                                                          3⤵
                                                                                                            PID:556
                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                              taskkill /f /im Dbg64.exe
                                                                                                              4⤵
                                                                                                              • Kills process with taskkill
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:3720
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
                                                                                                            3⤵
                                                                                                              PID:5052
                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                taskkill /f /im Dbg32.exe
                                                                                                                4⤵
                                                                                                                • Kills process with taskkill
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:1592
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
                                                                                                              3⤵
                                                                                                                PID:4716
                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                  taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                  4⤵
                                                                                                                  • Kills process with taskkill
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:2148
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                                                3⤵
                                                                                                                  PID:3184
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                    4⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:3168
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
                                                                                                                  3⤵
                                                                                                                    PID:3720
                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:556
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                    3⤵
                                                                                                                      PID:2280
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                                                      3⤵
                                                                                                                        PID:3528
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Windows\INF\cleaner.bat
                                                                                                                        3⤵
                                                                                                                          PID:4580
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im epicgameslauncher.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:3184
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:2980
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im FortniteClient-Win64-Shipping.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:2280
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4988
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im FortniteLauncher.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:2788
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im UnrealCEFSubProcess.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:1904
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im CEFProcess.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4300
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im EasyAntiCheat.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:3868
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im BEService.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5068
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im BEServices.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:1504
                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                            taskkill /f /im BattleEye.exe
                                                                                                                            4⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:1068
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {7574-12453-21562-28706} /f
                                                                                                                            4⤵
                                                                                                                            • Modifies registry key
                                                                                                                            PID:556
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29089-29169-5451-26192} /f
                                                                                                                            4⤵
                                                                                                                            • Modifies registry key
                                                                                                                            PID:2980
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2611-16674-15936-1041 /f
                                                                                                                            4⤵
                                                                                                                            • Modifies registry key
                                                                                                                            PID:3048
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 21067-17163-28468-32106 /f
                                                                                                                            4⤵
                                                                                                                            • Modifies registry key
                                                                                                                            PID:1384
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                                                            4⤵
                                                                                                                              PID:1708
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                                                                                                                              4⤵
                                                                                                                                PID:1636
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                                                                                4⤵
                                                                                                                                  PID:2820
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                                                                  4⤵
                                                                                                                                    PID:2320
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
                                                                                                                                    4⤵
                                                                                                                                      PID:2708
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
                                                                                                                                      4⤵
                                                                                                                                        PID:2616
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
                                                                                                                                        4⤵
                                                                                                                                          PID:1532
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                                                                          4⤵
                                                                                                                                            PID:4408
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 12519 /f
                                                                                                                                            4⤵
                                                                                                                                            • Modifies registry key
                                                                                                                                            PID:3752
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 31102 /f
                                                                                                                                            4⤵
                                                                                                                                            • Modifies registry key
                                                                                                                                            PID:5068
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                                                                                                                                            4⤵
                                                                                                                                              PID:3708
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                                                                                              4⤵
                                                                                                                                                PID:1504
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                                                                                4⤵
                                                                                                                                                  PID:2816
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
                                                                                                                                                  4⤵
                                                                                                                                                    PID:448
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2644
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop15936 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:1636
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop32090 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:2820
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin7453} /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:2428
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22287-3126-30652-14440} /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:4992
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {16410-4498-21102-25408} /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:5008
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 7432 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:2616
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 14253 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:4716
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 10675 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:3868
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 32749-25037-4660-13270 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:3356
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 22428-11957-3289-2065 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:1804
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 21939-28257-8520-19628 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:3276
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 3426 /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:3892
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5388-10589-4201-15738} /f
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies registry key
                                                                                                                                                      PID:3392
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2080
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25876-8596-21280-Admin18051 /f
                                                                                                                                                        4⤵
                                                                                                                                                        • Modifies registry key
                                                                                                                                                        PID:464
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                                                                                                                                                        4⤵
                                                                                                                                                          PID:2636
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                                                                                                          4⤵
                                                                                                                                                            PID:1384
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                                                                                            4⤵
                                                                                                                                                              PID:1380
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
                                                                                                                                                              4⤵
                                                                                                                                                                PID:704
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:1788
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop23733 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:1636
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop28609 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:2820
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin423} /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:2428
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {18185-12567-513-26868} /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:4992
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {21046-31371-23024-25734} /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:5008
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29862 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:2616
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 30225 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:4716
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 22556 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:3868
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 19457-31606-31-23482 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:3356
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 25624-12702-11421-2712 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:1804
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 22191-1921-8244-21843 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:3276
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30273 /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:3892
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22723-3784-3018-20608} /f
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:3392
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2080
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 17499-835-5586-Admin21564 /f
                                                                                                                                                                    4⤵
                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                    PID:464
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2636
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4768
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:3692
                                                                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:2720
                                                                                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:232
                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                        taskkill /f /im FiddlerEverywhere.exe
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:4016

                                                                                                                                                                      Network

                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                      Replay Monitor

                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                      Downloads

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                        Filesize

                                                                                                                                                                        152B

                                                                                                                                                                        MD5

                                                                                                                                                                        b1f40e0d6ceaf161dfc1dfdddcfc44af

                                                                                                                                                                        SHA1

                                                                                                                                                                        b6557a6331b4c54efb30597ad4da0be03013a23e

                                                                                                                                                                        SHA256

                                                                                                                                                                        065557e5cddcc8022528dc82c5fd618ca28c153d6e34978d2ba84d33227eed48

                                                                                                                                                                        SHA512

                                                                                                                                                                        0d7fd3eabf2d2b426c627531b29e433cab175232c169a77623213b7b9935458b3067a2860137b030235526e49ca4df6867534135cf9da60697d6fa43441e7818

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                        Filesize

                                                                                                                                                                        152B

                                                                                                                                                                        MD5

                                                                                                                                                                        18bc1d880e1a43364e572a20540c025b

                                                                                                                                                                        SHA1

                                                                                                                                                                        93b7043da91e7697d7268a52ca9a434a55ddbb75

                                                                                                                                                                        SHA256

                                                                                                                                                                        11fcaea6cf095ba038a344829e699198e7c981149f15e30a51229b8dbca6937f

                                                                                                                                                                        SHA512

                                                                                                                                                                        3e8ca38dbd4d9aa865fdfa359033fb47f581b93842f1ccb667f243cc630bfabf8390cbf8ed1de6110b18819f0d831312304806667bc68fdd13ea1bb09b44742e

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                        Filesize

                                                                                                                                                                        6KB

                                                                                                                                                                        MD5

                                                                                                                                                                        2a9e6031f24a74bc00841e30d61db793

                                                                                                                                                                        SHA1

                                                                                                                                                                        0dda5ab00e67e3ac3f7eda8f6c24dfe82706e748

                                                                                                                                                                        SHA256

                                                                                                                                                                        39fbd9f09275b72182271f14c59f3c9909cd638152934c65677e91cac851caa4

                                                                                                                                                                        SHA512

                                                                                                                                                                        0fb70e45b6250555d9a2dfa7fa120d5edd5c3d9e26261f0ae35896b762214100401f9542e997050cd0c425c95f902671580625daffb52a2ca71810ac6d875da3

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                        Filesize

                                                                                                                                                                        6KB

                                                                                                                                                                        MD5

                                                                                                                                                                        35854cc9536940978241a8a1692e3c36

                                                                                                                                                                        SHA1

                                                                                                                                                                        fabf4dd9ff29a09257e6a1cf3f2ed23721508376

                                                                                                                                                                        SHA256

                                                                                                                                                                        03eed5b254dc8373da9174302c3d7eb51bc0f224a16166b70cc143afc48c4c7b

                                                                                                                                                                        SHA512

                                                                                                                                                                        7e0809b317a98fc9744f870dd41b1610bd77954726b0736908e440c0e41ec59a1c03bbb973c88412a6631065c79ce003f9402d62527f3ea671e04fa059717ea4

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                        Filesize

                                                                                                                                                                        16B

                                                                                                                                                                        MD5

                                                                                                                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                        SHA1

                                                                                                                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                        SHA256

                                                                                                                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                        SHA512

                                                                                                                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                        Filesize

                                                                                                                                                                        11KB

                                                                                                                                                                        MD5

                                                                                                                                                                        bb0f17809b6d42d520122a1bd096f067

                                                                                                                                                                        SHA1

                                                                                                                                                                        0070f5dbef79eedd9922d18a7fb43e9307ab548c

                                                                                                                                                                        SHA256

                                                                                                                                                                        a5418c6756b5e4bc65f316e3b71c2436981c02af6c504da71f22e01848c23a5a

                                                                                                                                                                        SHA512

                                                                                                                                                                        5d32d15fc1924a8d8b2f8d55c7dd8762f6728cdc9353e2047bbc7ded623c0def459cff4268b9421d8682ff2227cf9fa3fdfe61503353740adcf3c881562f65b8

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                        Filesize

                                                                                                                                                                        11KB

                                                                                                                                                                        MD5

                                                                                                                                                                        22d4aa47cbea13d46daed6d06a9e369c

                                                                                                                                                                        SHA1

                                                                                                                                                                        65511836a359cb8ce8776dd182f83fb96afc9700

                                                                                                                                                                        SHA256

                                                                                                                                                                        2e2a523e479933907e777af1f543a8b974b55a7c0355a5e7db0ce80a59c56bbb

                                                                                                                                                                        SHA512

                                                                                                                                                                        0853ebfeeafacccb99a3f87a995563b7c00fb6f3c395507f585f65814a04045042096e1629cedb07b7e5709097ee69ce67f89a86f7813e4e60031fc1238ccd77

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7CE07F~1.TMP

                                                                                                                                                                        Filesize

                                                                                                                                                                        377KB

                                                                                                                                                                        MD5

                                                                                                                                                                        118573e5a7fc1a9113ce062fd6a60d81

                                                                                                                                                                        SHA1

                                                                                                                                                                        61437f5ab7059ab958e343a5aee1a50db488f842

                                                                                                                                                                        SHA256

                                                                                                                                                                        6398d2b095efc10b591d033f06d8679dd28a4b064e425f86e4d72a1d4ffb7e65

                                                                                                                                                                        SHA512

                                                                                                                                                                        7bffde47c74140f3f61a6937bbb29dce331abf0c6ee54be1b22332a8d1ebc2ac78c832fde4aba0c0e9d1053c04d77996cf544c2eade0ef407438e0869a08e306

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E94ADD~1.TMP

                                                                                                                                                                        Filesize

                                                                                                                                                                        224KB

                                                                                                                                                                        MD5

                                                                                                                                                                        09bd0f4196902acac51ec4fab447da46

                                                                                                                                                                        SHA1

                                                                                                                                                                        5d15beebfb17323b8d973546cf9c4cbb4f0cb0c9

                                                                                                                                                                        SHA256

                                                                                                                                                                        a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e

                                                                                                                                                                        SHA512

                                                                                                                                                                        aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3

                                                                                                                                                                      • C:\Users\Admin\Downloads\Unconfirmed 468740.crdownload

                                                                                                                                                                        Filesize

                                                                                                                                                                        7.2MB

                                                                                                                                                                        MD5

                                                                                                                                                                        6ec04fa24f0695f286801366108942f3

                                                                                                                                                                        SHA1

                                                                                                                                                                        309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04

                                                                                                                                                                        SHA256

                                                                                                                                                                        ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78

                                                                                                                                                                        SHA512

                                                                                                                                                                        d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5

                                                                                                                                                                      • C:\Windows\INF\cleaner.bat

                                                                                                                                                                        Filesize

                                                                                                                                                                        656KB

                                                                                                                                                                        MD5

                                                                                                                                                                        583ffc4b6b078bd709f63424b63b04fb

                                                                                                                                                                        SHA1

                                                                                                                                                                        07f44f5fd6efc3486641d3c18ccb05eafe5ad07c

                                                                                                                                                                        SHA256

                                                                                                                                                                        8187822d2b41693f8b121ec722cb2eff204d28e5344e30cfbc75f01285ffb633

                                                                                                                                                                        SHA512

                                                                                                                                                                        2a764482ee1f4cb3374a53dbe07c42c8dc4d464859799e2bb691b1d6c5bd56b6000e9ff4a7bf88c20ef3c6d1c5e96d0a3519b6aef307fbace87a56982c99355b

                                                                                                                                                                      • memory/64-70-0x00007FFD61E90000-0x00007FFD61E92000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        8KB

                                                                                                                                                                      • memory/64-72-0x0000000140000000-0x0000000140F9C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        15.6MB

                                                                                                                                                                      • memory/64-109-0x0000000140000000-0x0000000140F9C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        15.6MB