Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-en -
resource tags
arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/02/2024, 13:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof.exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&
Resource
win10v2004-20240220-en
General
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 64 2XL_Free_Spoof.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\INF\cleaner.bat 2XL_Free_Spoof.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 48 IoCs
pid Process 5088 taskkill.exe 4668 taskkill.exe 2148 taskkill.exe 3168 taskkill.exe 2280 taskkill.exe 3868 taskkill.exe 3184 taskkill.exe 4312 taskkill.exe 4260 taskkill.exe 1592 taskkill.exe 1592 taskkill.exe 4300 taskkill.exe 928 taskkill.exe 4636 taskkill.exe 1904 taskkill.exe 4636 taskkill.exe 4668 taskkill.exe 556 taskkill.exe 3184 taskkill.exe 5068 taskkill.exe 1068 taskkill.exe 1804 taskkill.exe 3952 taskkill.exe 3184 taskkill.exe 1636 taskkill.exe 3692 taskkill.exe 3572 taskkill.exe 1696 taskkill.exe 4992 taskkill.exe 4988 taskkill.exe 4016 taskkill.exe 4312 taskkill.exe 2428 taskkill.exe 1504 taskkill.exe 2320 taskkill.exe 4016 taskkill.exe 3528 taskkill.exe 3568 taskkill.exe 2788 taskkill.exe 4260 taskkill.exe 3692 taskkill.exe 2944 taskkill.exe 3720 taskkill.exe 1904 taskkill.exe 2428 taskkill.exe 2320 taskkill.exe 1200 taskkill.exe 2980 taskkill.exe -
Modifies registry key 1 TTPs 34 IoCs
pid Process 2428 reg.exe 3868 reg.exe 3392 reg.exe 3892 reg.exe 4992 reg.exe 556 reg.exe 2820 reg.exe 2616 reg.exe 3276 reg.exe 2616 reg.exe 464 reg.exe 3752 reg.exe 3868 reg.exe 4716 reg.exe 3276 reg.exe 3892 reg.exe 2980 reg.exe 1636 reg.exe 3356 reg.exe 1804 reg.exe 1636 reg.exe 4716 reg.exe 1804 reg.exe 3392 reg.exe 2820 reg.exe 3048 reg.exe 5068 reg.exe 4992 reg.exe 5008 reg.exe 3356 reg.exe 464 reg.exe 1384 reg.exe 2428 reg.exe 5008 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 468740.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 948 msedge.exe 948 msedge.exe 4032 msedge.exe 4032 msedge.exe 1396 identity_helper.exe 1396 identity_helper.exe 1904 msedge.exe 1904 msedge.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe 64 2XL_Free_Spoof.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 5088 taskkill.exe Token: SeDebugPrivilege 3952 taskkill.exe Token: SeDebugPrivilege 4260 taskkill.exe Token: SeDebugPrivilege 3184 taskkill.exe Token: SeDebugPrivilege 2428 taskkill.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeDebugPrivilege 2320 taskkill.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 928 taskkill.exe Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 3528 taskkill.exe Token: SeDebugPrivilege 3184 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeDebugPrivilege 4312 taskkill.exe Token: SeDebugPrivilege 4260 taskkill.exe Token: SeDebugPrivilege 3572 taskkill.exe Token: SeDebugPrivilege 4668 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1200 taskkill.exe Token: SeDebugPrivilege 4992 taskkill.exe Token: SeDebugPrivilege 4312 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 1904 taskkill.exe Token: SeDebugPrivilege 2428 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 4668 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 2148 taskkill.exe Token: SeDebugPrivilege 3168 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 3184 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 2280 taskkill.exe Token: SeDebugPrivilege 4988 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe Token: SeDebugPrivilege 1904 taskkill.exe Token: SeDebugPrivilege 4300 taskkill.exe Token: SeDebugPrivilege 3868 taskkill.exe Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeDebugPrivilege 1068 taskkill.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 64 2XL_Free_Spoof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 632 4032 msedge.exe 81 PID 4032 wrote to memory of 632 4032 msedge.exe 81 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 4520 4032 msedge.exe 89 PID 4032 wrote to memory of 948 4032 msedge.exe 88 PID 4032 wrote to memory of 948 4032 msedge.exe 88 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90 PID 4032 wrote to memory of 220 4032 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1209236505327960065/1209642421189746698/2XL_Free_Spoof.exe?ex=65e7aa4b&is=65d5354b&hm=a3f23762fbe49689237f02db55ea31ae4f5994242d96538aa0aa82db3167fac7&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd56f946f8,0x7ffd56f94708,0x7ffd56f947182⤵PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:82⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,3243422320674860127,8901479009391524070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Users\Admin\Downloads\2XL_Free_Spoof.exe"C:\Users\Admin\Downloads\2XL_Free_Spoof.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 043⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&13⤵PID:556
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&13⤵PID:1068
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&13⤵PID:1804
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&13⤵PID:5052
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&13⤵PID:556
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&13⤵PID:3708
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&13⤵PID:2148
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&13⤵PID:1592
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq64.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&13⤵PID:5012
-
C:\Windows\system32\taskkill.exetaskkill /f /im Wireshark.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&13⤵PID:4668
-
C:\Windows\system32\taskkill.exetaskkill /f /im Fiddler.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&13⤵PID:3544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&13⤵PID:4960
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos64.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&13⤵PID:1144
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&13⤵PID:3112
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos32.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&13⤵PID:4992
-
C:\Windows\system32\taskkill.exetaskkill /f /im de4dot.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&13⤵PID:5088
-
C:\Windows\system32\taskkill.exetaskkill /f /im Cheat Engine.exe4⤵
- Kills process with taskkill
PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&13⤵PID:4700
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&13⤵PID:1200
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&13⤵PID:2944
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTP Debugger Windows Service (32 bit).exe5⤵
- Kills process with taskkill
PID:2944
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&13⤵PID:3016
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-i386.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&13⤵PID:3544
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&13⤵PID:4260
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-i386.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&13⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&13⤵PID:448
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&13⤵PID:3952
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&13⤵PID:3892
-
C:\Windows\system32\taskkill.exetaskkill /f /im x64dbg.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&13⤵PID:4016
-
C:\Windows\system32\taskkill.exetaskkill /f /im x32dbg.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:1068
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&13⤵PID:4752
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&13⤵PID:2820
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&13⤵PID:2280
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&13⤵PID:3184
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&13⤵PID:556
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&13⤵PID:5052
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&13⤵PID:4716
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:3184
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&13⤵PID:3720
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\INF\cleaner.bat3⤵PID:4580
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {7574-12453-21562-28706} /f4⤵
- Modifies registry key
PID:556
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29089-29169-5451-26192} /f4⤵
- Modifies registry key
PID:2980
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2611-16674-15936-1041 /f4⤵
- Modifies registry key
PID:3048
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 21067-17163-28468-32106 /f4⤵
- Modifies registry key
PID:1384
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f4⤵PID:1708
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f4⤵PID:1636
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f4⤵PID:2820
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f4⤵PID:2320
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f4⤵PID:2708
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f4⤵PID:2616
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f4⤵PID:1532
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f4⤵PID:4408
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 12519 /f4⤵
- Modifies registry key
PID:3752
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 31102 /f4⤵
- Modifies registry key
PID:5068
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f4⤵PID:3708
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f4⤵PID:1504
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f4⤵PID:2816
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f4⤵PID:448
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f4⤵PID:2644
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop15936 /f4⤵
- Modifies registry key
PID:1636
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop32090 /f4⤵
- Modifies registry key
PID:2820
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin7453} /f4⤵
- Modifies registry key
PID:2428
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22287-3126-30652-14440} /f4⤵
- Modifies registry key
PID:4992
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {16410-4498-21102-25408} /f4⤵
- Modifies registry key
PID:5008
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 7432 /f4⤵
- Modifies registry key
PID:2616
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 14253 /f4⤵
- Modifies registry key
PID:4716
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 10675 /f4⤵
- Modifies registry key
PID:3868
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 32749-25037-4660-13270 /f4⤵
- Modifies registry key
PID:3356
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 22428-11957-3289-2065 /f4⤵
- Modifies registry key
PID:1804
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 21939-28257-8520-19628 /f4⤵
- Modifies registry key
PID:3276
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 3426 /f4⤵
- Modifies registry key
PID:3892
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5388-10589-4201-15738} /f4⤵
- Modifies registry key
PID:3392
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f4⤵PID:2080
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25876-8596-21280-Admin18051 /f4⤵
- Modifies registry key
PID:464
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f4⤵PID:2636
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f4⤵PID:1384
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f4⤵PID:1380
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f4⤵PID:704
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f4⤵PID:1788
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop23733 /f4⤵
- Modifies registry key
PID:1636
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop28609 /f4⤵
- Modifies registry key
PID:2820
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin423} /f4⤵
- Modifies registry key
PID:2428
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {18185-12567-513-26868} /f4⤵
- Modifies registry key
PID:4992
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {21046-31371-23024-25734} /f4⤵
- Modifies registry key
PID:5008
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29862 /f4⤵
- Modifies registry key
PID:2616
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 30225 /f4⤵
- Modifies registry key
PID:4716
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 22556 /f4⤵
- Modifies registry key
PID:3868
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 19457-31606-31-23482 /f4⤵
- Modifies registry key
PID:3356
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 25624-12702-11421-2712 /f4⤵
- Modifies registry key
PID:1804
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 22191-1921-8244-21843 /f4⤵
- Modifies registry key
PID:3276
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30273 /f4⤵
- Modifies registry key
PID:3892
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22723-3784-3018-20608} /f4⤵
- Modifies registry key
PID:3392
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f4⤵PID:2080
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 17499-835-5586-Admin21564 /f4⤵
- Modifies registry key
PID:464
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f4⤵PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3692
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:232
-
C:\Windows\system32\taskkill.exetaskkill /f /im FiddlerEverywhere.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b1f40e0d6ceaf161dfc1dfdddcfc44af
SHA1b6557a6331b4c54efb30597ad4da0be03013a23e
SHA256065557e5cddcc8022528dc82c5fd618ca28c153d6e34978d2ba84d33227eed48
SHA5120d7fd3eabf2d2b426c627531b29e433cab175232c169a77623213b7b9935458b3067a2860137b030235526e49ca4df6867534135cf9da60697d6fa43441e7818
-
Filesize
152B
MD518bc1d880e1a43364e572a20540c025b
SHA193b7043da91e7697d7268a52ca9a434a55ddbb75
SHA25611fcaea6cf095ba038a344829e699198e7c981149f15e30a51229b8dbca6937f
SHA5123e8ca38dbd4d9aa865fdfa359033fb47f581b93842f1ccb667f243cc630bfabf8390cbf8ed1de6110b18819f0d831312304806667bc68fdd13ea1bb09b44742e
-
Filesize
6KB
MD52a9e6031f24a74bc00841e30d61db793
SHA10dda5ab00e67e3ac3f7eda8f6c24dfe82706e748
SHA25639fbd9f09275b72182271f14c59f3c9909cd638152934c65677e91cac851caa4
SHA5120fb70e45b6250555d9a2dfa7fa120d5edd5c3d9e26261f0ae35896b762214100401f9542e997050cd0c425c95f902671580625daffb52a2ca71810ac6d875da3
-
Filesize
6KB
MD535854cc9536940978241a8a1692e3c36
SHA1fabf4dd9ff29a09257e6a1cf3f2ed23721508376
SHA25603eed5b254dc8373da9174302c3d7eb51bc0f224a16166b70cc143afc48c4c7b
SHA5127e0809b317a98fc9744f870dd41b1610bd77954726b0736908e440c0e41ec59a1c03bbb973c88412a6631065c79ce003f9402d62527f3ea671e04fa059717ea4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5bb0f17809b6d42d520122a1bd096f067
SHA10070f5dbef79eedd9922d18a7fb43e9307ab548c
SHA256a5418c6756b5e4bc65f316e3b71c2436981c02af6c504da71f22e01848c23a5a
SHA5125d32d15fc1924a8d8b2f8d55c7dd8762f6728cdc9353e2047bbc7ded623c0def459cff4268b9421d8682ff2227cf9fa3fdfe61503353740adcf3c881562f65b8
-
Filesize
11KB
MD522d4aa47cbea13d46daed6d06a9e369c
SHA165511836a359cb8ce8776dd182f83fb96afc9700
SHA2562e2a523e479933907e777af1f543a8b974b55a7c0355a5e7db0ce80a59c56bbb
SHA5120853ebfeeafacccb99a3f87a995563b7c00fb6f3c395507f585f65814a04045042096e1629cedb07b7e5709097ee69ce67f89a86f7813e4e60031fc1238ccd77
-
Filesize
377KB
MD5118573e5a7fc1a9113ce062fd6a60d81
SHA161437f5ab7059ab958e343a5aee1a50db488f842
SHA2566398d2b095efc10b591d033f06d8679dd28a4b064e425f86e4d72a1d4ffb7e65
SHA5127bffde47c74140f3f61a6937bbb29dce331abf0c6ee54be1b22332a8d1ebc2ac78c832fde4aba0c0e9d1053c04d77996cf544c2eade0ef407438e0869a08e306
-
Filesize
224KB
MD509bd0f4196902acac51ec4fab447da46
SHA15d15beebfb17323b8d973546cf9c4cbb4f0cb0c9
SHA256a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e
SHA512aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3
-
Filesize
7.2MB
MD56ec04fa24f0695f286801366108942f3
SHA1309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04
SHA256ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78
SHA512d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5
-
Filesize
656KB
MD5583ffc4b6b078bd709f63424b63b04fb
SHA107f44f5fd6efc3486641d3c18ccb05eafe5ad07c
SHA2568187822d2b41693f8b121ec722cb2eff204d28e5344e30cfbc75f01285ffb633
SHA5122a764482ee1f4cb3374a53dbe07c42c8dc4d464859799e2bb691b1d6c5bd56b6000e9ff4a7bf88c20ef3c6d1c5e96d0a3519b6aef307fbace87a56982c99355b