hxxps://cdn[.]discordapp[.]com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof[.]exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&

Analysis

max time kernel
62s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof.exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
64	2XL_Free_Spoof.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\INF\cleaner.bat	2XL_Free_Spoof.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 48 IoCs

evasion

pid	Process
5088	taskkill.exe
4668	taskkill.exe
2148	taskkill.exe
3168	taskkill.exe
2280	taskkill.exe
3868	taskkill.exe
3184	taskkill.exe
4312	taskkill.exe
4260	taskkill.exe
1592	taskkill.exe
1592	taskkill.exe
4300	taskkill.exe
928	taskkill.exe
4636	taskkill.exe
1904	taskkill.exe
4636	taskkill.exe
4668	taskkill.exe
556	taskkill.exe
3184	taskkill.exe
5068	taskkill.exe
1068	taskkill.exe
1804	taskkill.exe
3952	taskkill.exe
3184	taskkill.exe
1636	taskkill.exe
3692	taskkill.exe
3572	taskkill.exe
1696	taskkill.exe
4992	taskkill.exe
4988	taskkill.exe
4016	taskkill.exe
4312	taskkill.exe
2428	taskkill.exe
1504	taskkill.exe
2320	taskkill.exe
4016	taskkill.exe
3528	taskkill.exe
3568	taskkill.exe
2788	taskkill.exe
4260	taskkill.exe
3692	taskkill.exe
2944	taskkill.exe
3720	taskkill.exe
1904	taskkill.exe
2428	taskkill.exe
2320	taskkill.exe
1200	taskkill.exe
2980	taskkill.exe

Modifies registry key 1 TTPs 34 IoCs

Modify Registry

T1112

pid	Process
2428	reg.exe
3868	reg.exe
3392	reg.exe
3892	reg.exe
4992	reg.exe
556	reg.exe
2820	reg.exe
2616	reg.exe
3276	reg.exe
2616	reg.exe
464	reg.exe
3752	reg.exe
3868	reg.exe
4716	reg.exe
3276	reg.exe
3892	reg.exe
2980	reg.exe
1636	reg.exe
3356	reg.exe
1804	reg.exe
1636	reg.exe
4716	reg.exe
1804	reg.exe
3392	reg.exe
2820	reg.exe
3048	reg.exe
5068	reg.exe
4992	reg.exe
5008	reg.exe
3356	reg.exe
464	reg.exe
1384	reg.exe
2428	reg.exe
5008	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 468740.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	msedge.exe
948	msedge.exe
4032	msedge.exe
4032	msedge.exe
1396	identity_helper.exe
1396	identity_helper.exe
1904	msedge.exe
1904	msedge.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe
64	2XL_Free_Spoof.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
64	2XL_Free_Spoof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 632	4032	msedge.exe	81
PID 4032 wrote to memory of 632	4032	msedge.exe	81
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 4520	4032	msedge.exe	89
PID 4032 wrote to memory of 948	4032	msedge.exe	88
PID 4032 wrote to memory of 948	4032	msedge.exe	88
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90
PID 4032 wrote to memory of 220	4032	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof.exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd56f946f8,0x7ffd56f94708,0x7ffd56f94718
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Users\Admin\Downloads\2XL_Free_Spoof.exe
  "C:\Users\Admin\Downloads\2XL_Free_Spoof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 04
    3⤵
    PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
    3⤵
    PID:556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:1804
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:5052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:3708
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:2148
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:1592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:5012
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:4668
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:4960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:1144
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:3112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:4992
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:5088
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Kills process with taskkill
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:4700
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:1200
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:2944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
        5⤵
        Kills process with taskkill
        
        PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:3016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:3544
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:4260
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:3952
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:4016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4752
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2820
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:5052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3720
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\INF\cleaner.bat
    3⤵
    PID:4580
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4988
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im UnrealCEFSubProcess.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1904
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im CEFProcess.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEServices.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BattleEye.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1068
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {7574-12453-21562-28706} /f
      4⤵
      Modifies registry key
      PID:556
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29089-29169-5451-26192} /f
      4⤵
      Modifies registry key
      PID:2980
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2611-16674-15936-1041 /f
      4⤵
      Modifies registry key
      PID:3048
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 21067-17163-28468-32106 /f
      4⤵
      Modifies registry key
      PID:1384
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:1708
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:1636
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
      4⤵
      PID:2820
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
      4⤵
      PID:2708
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
      4⤵
      PID:2616
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
      4⤵
      PID:1532
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:4408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 12519 /f
      4⤵
      Modifies registry key
      PID:3752
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 31102 /f
      4⤵
      Modifies registry key
      PID:5068
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:3708
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
      4⤵
      PID:1504
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:2816
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
      4⤵
      PID:448
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
      4⤵
      PID:2644
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop15936 /f
      4⤵
      Modifies registry key
      PID:1636
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop32090 /f
      4⤵
      Modifies registry key
      PID:2820
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin7453} /f
      4⤵
      Modifies registry key
      PID:2428
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22287-3126-30652-14440} /f
      4⤵
      Modifies registry key
      PID:4992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {16410-4498-21102-25408} /f
      4⤵
      Modifies registry key
      PID:5008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 7432 /f
      4⤵
      Modifies registry key
      PID:2616
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 14253 /f
      4⤵
      Modifies registry key
      PID:4716
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 10675 /f
      4⤵
      Modifies registry key
      PID:3868
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 32749-25037-4660-13270 /f
      4⤵
      Modifies registry key
      PID:3356
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 22428-11957-3289-2065 /f
      4⤵
      Modifies registry key
      PID:1804
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 21939-28257-8520-19628 /f
      4⤵
      Modifies registry key
      PID:3276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 3426 /f
      4⤵
      Modifies registry key
      PID:3892
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5388-10589-4201-15738} /f
      4⤵
      Modifies registry key
      PID:3392
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:2080
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25876-8596-21280-Admin18051 /f
      4⤵
      Modifies registry key
      PID:464
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
      4⤵
      PID:2636
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
      4⤵
      PID:1384
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
      4⤵
      PID:1380
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
      4⤵
      PID:704
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
      4⤵
      PID:1788
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop23733 /f
      4⤵
      Modifies registry key
      PID:1636
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop28609 /f
      4⤵
      Modifies registry key
      PID:2820
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin423} /f
      4⤵
      Modifies registry key
      PID:2428
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {18185-12567-513-26868} /f
      4⤵
      Modifies registry key
      PID:4992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {21046-31371-23024-25734} /f
      4⤵
      Modifies registry key
      PID:5008
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29862 /f
      4⤵
      Modifies registry key
      PID:2616
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 30225 /f
      4⤵
      Modifies registry key
      PID:4716
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 22556 /f
      4⤵
      Modifies registry key
      PID:3868
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 19457-31606-31-23482 /f
      4⤵
      Modifies registry key
      PID:3356
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 25624-12702-11421-2712 /f
      4⤵
      Modifies registry key
      PID:1804
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 22191-1921-8244-21843 /f
      4⤵
      Modifies registry key
      PID:3276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30273 /f
      4⤵
      Modifies registry key
      PID:3892
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22723-3784-3018-20608} /f
      4⤵
      Modifies registry key
      PID:3392
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      4⤵
      PID:2080
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 17499-835-5586-Admin21564 /f
      4⤵
      Modifies registry key
      PID:464
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
      4⤵
      PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b1f40e0d6ceaf161dfc1dfdddcfc44af

SHA1
b6557a6331b4c54efb30597ad4da0be03013a23e

SHA256
065557e5cddcc8022528dc82c5fd618ca28c153d6e34978d2ba84d33227eed48

SHA512
0d7fd3eabf2d2b426c627531b29e433cab175232c169a77623213b7b9935458b3067a2860137b030235526e49ca4df6867534135cf9da60697d6fa43441e7818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18bc1d880e1a43364e572a20540c025b

SHA1
93b7043da91e7697d7268a52ca9a434a55ddbb75

SHA256
11fcaea6cf095ba038a344829e699198e7c981149f15e30a51229b8dbca6937f

SHA512
3e8ca38dbd4d9aa865fdfa359033fb47f581b93842f1ccb667f243cc630bfabf8390cbf8ed1de6110b18819f0d831312304806667bc68fdd13ea1bb09b44742e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a9e6031f24a74bc00841e30d61db793

SHA1
0dda5ab00e67e3ac3f7eda8f6c24dfe82706e748

SHA256
39fbd9f09275b72182271f14c59f3c9909cd638152934c65677e91cac851caa4

SHA512
0fb70e45b6250555d9a2dfa7fa120d5edd5c3d9e26261f0ae35896b762214100401f9542e997050cd0c425c95f902671580625daffb52a2ca71810ac6d875da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35854cc9536940978241a8a1692e3c36

SHA1
fabf4dd9ff29a09257e6a1cf3f2ed23721508376

SHA256
03eed5b254dc8373da9174302c3d7eb51bc0f224a16166b70cc143afc48c4c7b

SHA512
7e0809b317a98fc9744f870dd41b1610bd77954726b0736908e440c0e41ec59a1c03bbb973c88412a6631065c79ce003f9402d62527f3ea671e04fa059717ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb0f17809b6d42d520122a1bd096f067

SHA1
0070f5dbef79eedd9922d18a7fb43e9307ab548c

SHA256
a5418c6756b5e4bc65f316e3b71c2436981c02af6c504da71f22e01848c23a5a

SHA512
5d32d15fc1924a8d8b2f8d55c7dd8762f6728cdc9353e2047bbc7ded623c0def459cff4268b9421d8682ff2227cf9fa3fdfe61503353740adcf3c881562f65b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22d4aa47cbea13d46daed6d06a9e369c

SHA1
65511836a359cb8ce8776dd182f83fb96afc9700

SHA256
2e2a523e479933907e777af1f543a8b974b55a7c0355a5e7db0ce80a59c56bbb

SHA512
0853ebfeeafacccb99a3f87a995563b7c00fb6f3c395507f585f65814a04045042096e1629cedb07b7e5709097ee69ce67f89a86f7813e4e60031fc1238ccd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CE07F~1.TMP

Filesize
377KB

MD5
118573e5a7fc1a9113ce062fd6a60d81

SHA1
61437f5ab7059ab958e343a5aee1a50db488f842

SHA256
6398d2b095efc10b591d033f06d8679dd28a4b064e425f86e4d72a1d4ffb7e65

SHA512
7bffde47c74140f3f61a6937bbb29dce331abf0c6ee54be1b22332a8d1ebc2ac78c832fde4aba0c0e9d1053c04d77996cf544c2eade0ef407438e0869a08e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\E94ADD~1.TMP

Filesize
224KB

MD5
09bd0f4196902acac51ec4fab447da46

SHA1
5d15beebfb17323b8d973546cf9c4cbb4f0cb0c9

SHA256
a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e

SHA512
aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 468740.crdownload

Filesize
7.2MB

MD5
6ec04fa24f0695f286801366108942f3

SHA1
309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04

SHA256
ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78

SHA512
d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5

Download Submit
C:\Windows\INF\cleaner.bat

Filesize
656KB

MD5
583ffc4b6b078bd709f63424b63b04fb

SHA1
07f44f5fd6efc3486641d3c18ccb05eafe5ad07c

SHA256
8187822d2b41693f8b121ec722cb2eff204d28e5344e30cfbc75f01285ffb633

SHA512
2a764482ee1f4cb3374a53dbe07c42c8dc4d464859799e2bb691b1d6c5bd56b6000e9ff4a7bf88c20ef3c6d1c5e96d0a3519b6aef307fbace87a56982c99355b

Download Submit
memory/64-70-0x00007FFD61E90000-0x00007FFD61E92000-memory.dmp

Filesize
8KB

Download
memory/64-72-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download
memory/64-109-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download