Analysis

  • max time kernel
    83s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2023, 03:18

General

  • Target

    W4LL3NG - Neo Games.rar

  • Size

    231.0MB

  • MD5

    b93ed386ccbf9c58a36e10ed5e32332f

  • SHA1

    5edadb2ee92386a9b6e8b256b141fb65852f2457

  • SHA256

    ab9af0639c182ec3720b0574ace5b13cad7318b6cba86eb79864d2888cebe59a

  • SHA512

    ac92816202b4efa7b8767625bdc6d8fed9cb15515bf3adf8a2f3a4f8e82a8047ba9782155733cb7a44dc4fe1c40a6ba4d511acbd83553d9fc1517767911804e0

  • SSDEEP

    6291456:XXt8fCQzNGlPjrxqZgrOoNdPayQaKaJTUppHd9RkRFTEvoblr:HGaJuC7oaNOppHdPkRFYQlr

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\W4LL3NG - Neo Games.rar"
    1⤵
    • Modifies registry class
    PID:1500
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\W4LL3NG - Neo Games.rar"
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1312
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
          PID:3648
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F882B54E32E3BED6F36A3B953CE293ED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F882B54E32E3BED6F36A3B953CE293ED --renderer-client-id=2 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job /prefetch:1
            4⤵
              PID:924
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40AFD539211B5AE49409FDB165EF2043 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
                PID:2020
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B2152F22B5D0C5DCCDCE341972CE007E --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                4⤵
                  PID:5488
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27312E854C0714AC060DB6A765175FD0 --mojo-platform-channel-handle=2028 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  4⤵
                    PID:5584
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=016196BBED9349846447EDDDF2DFF649 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    4⤵
                      PID:5784
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5B2F5563F86FC18193461A5330697A85 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5B2F5563F86FC18193461A5330697A85 --renderer-client-id=8 --mojo-platform-channel-handle=2388 --allow-no-sandbox-job /prefetch:1
                      4⤵
                        PID:5372
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                      3⤵
                        PID:4724
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2164
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      2⤵
                      • Checks processor information in registry
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:3240
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.1650326685\79113616" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc8d939e-a628-494d-bf83-e902da6f5ce0} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1932 1c317dece58 gpu
                        3⤵
                          PID:2912
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.1.1210432800\1029477723" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {957f9286-0833-45d3-9333-8ead40626429} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2332 1c30ae71f58 socket
                          3⤵
                            PID:1408
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.2.859440627\1259007722" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3144 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e681a34-2207-4db1-8b88-575473e55e37} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 3112 1c31b9f2b58 tab
                            3⤵
                              PID:5064
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.3.209428393\1520786065" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 1136 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f75fd3a5-3cf4-4cc6-9b8a-0c1534f66ec5} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1092 1c30ae65658 tab
                              3⤵
                                PID:1496
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.4.61101957\961433198" -childID 3 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2a0f3a6-7d2a-4842-9393-57e2341c3710} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4184 1c30ae5e558 tab
                                3⤵
                                  PID:4788
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.5.1512955805\1085645441" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 4892 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c3d80fd-6351-4a41-9e0f-31c6a4a78ee9} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5040 1c31c99a658 tab
                                  3⤵
                                    PID:4984
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.7.202131136\966109529" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5060 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e6a02c-f1d2-4e81-90a2-321931a384cf} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5248 1c31e379858 tab
                                    3⤵
                                      PID:3460
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.28654518\1034446093" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 4924 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d461424a-7613-4385-b8bf-e16d7a6d6ea0} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1652 1c31e37a758 tab
                                      3⤵
                                        PID:5072
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.8.752083896\615301939" -childID 7 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68650ff3-41b2-48b3-88a1-1f92a8a73b9c} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5712 1c31955a458 tab
                                        3⤵
                                          PID:5196
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.9.835155111\1781412236" -childID 8 -isForBrowser -prefsHandle 2776 -prefMapHandle 4876 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f7e8f31-0e95-4f39-a8c0-0b47edb67f31} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4632 1c31a8b6558 tab
                                          3⤵
                                            PID:5604
                                          • C:\Users\Admin\Downloads\winrar-x64-621.exe
                                            "C:\Users\Admin\Downloads\winrar-x64-621.exe"
                                            3⤵
                                              PID:5536
                                              • C:\Program Files\WinRAR\uninstall.exe
                                                "C:\Program Files\WinRAR\uninstall.exe" /setup
                                                4⤵
                                                  PID:1612
                                          • C:\Windows\system32\taskmgr.exe
                                            "C:\Windows\system32\taskmgr.exe" /4
                                            1⤵
                                            • Checks SCSI registry key(s)
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:1252
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:5168
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:2948

                                              Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Program Files\WinRAR\Rar.txt

                                                      Filesize

                                                      109KB

                                                      MD5

                                                      e51d9ff73c65b76ccd7cd09aeea99c3c

                                                      SHA1

                                                      d4789310e9b7a4628154f21af9803e88e89e9b1b

                                                      SHA256

                                                      7456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd

                                                      SHA512

                                                      57ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c

                                                    • C:\Program Files\WinRAR\Uninstall.exe

                                                      Filesize

                                                      437KB

                                                      MD5

                                                      cac9723066062383778f37e9d64fd94e

                                                      SHA1

                                                      1cd78fc041d733f7eacdd447371c9dec25c7ef2c

                                                      SHA256

                                                      e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

                                                      SHA512

                                                      2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

                                                    • C:\Program Files\WinRAR\Uninstall.exe

                                                      Filesize

                                                      437KB

                                                      MD5

                                                      cac9723066062383778f37e9d64fd94e

                                                      SHA1

                                                      1cd78fc041d733f7eacdd447371c9dec25c7ef2c

                                                      SHA256

                                                      e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

                                                      SHA512

                                                      2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

                                                    • C:\Program Files\WinRAR\WhatsNew.txt

                                                      Filesize

                                                      103KB

                                                      MD5

                                                      4c88a040b31c4d144b44b0dc68fb2cc8

                                                      SHA1

                                                      bf473f5a5d3d8be6e5870a398212450580f8b37b

                                                      SHA256

                                                      6f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8

                                                      SHA512

                                                      e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8

                                                    • C:\Program Files\WinRAR\WinRAR.chm

                                                      Filesize

                                                      317KB

                                                      MD5

                                                      381eae01a2241b8a4738b3c64649fbc0

                                                      SHA1

                                                      cc5944fde68ed622ebee2da9412534e5a44a7c9a

                                                      SHA256

                                                      ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e

                                                      SHA512

                                                      f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88

                                                    • C:\Program Files\WinRAR\WinRAR.exe

                                                      Filesize

                                                      2.4MB

                                                      MD5

                                                      46d15a70619d5e68415c8f22d5c81555

                                                      SHA1

                                                      12ec96e89b0fd38c469546042e30452b070e337f

                                                      SHA256

                                                      2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

                                                      SHA512

                                                      09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

                                                    • C:\Program Files\WinRAR\uninstall.exe

                                                      Filesize

                                                      437KB

                                                      MD5

                                                      cac9723066062383778f37e9d64fd94e

                                                      SHA1

                                                      1cd78fc041d733f7eacdd447371c9dec25c7ef2c

                                                      SHA256

                                                      e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

                                                      SHA512

                                                      2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      36KB

                                                      MD5

                                                      b30d3becc8731792523d599d949e63f5

                                                      SHA1

                                                      19350257e42d7aee17fb3bf139a9d3adb330fad4

                                                      SHA256

                                                      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                                                      SHA512

                                                      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      56KB

                                                      MD5

                                                      752a1f26b18748311b691c7d8fc20633

                                                      SHA1

                                                      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                                                      SHA256

                                                      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                                                      SHA512

                                                      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                      Filesize

                                                      64KB

                                                      MD5

                                                      cb590963d70debcf6243f2ec740b3fe9

                                                      SHA1

                                                      72bafecfa71f8f0937c5ecd584a7ebe845bfb9ba

                                                      SHA256

                                                      9df8f8e7b62d54bd6d82ccce7a67b1ad757fdb64d2ac3a9676c24052d8a63f71

                                                      SHA512

                                                      d1ecafbbed7fc066be7ad5faa01ce48d29f5de369b07dd5395b42fa65ad073b252a981cb8968caa1638849267e7d91ff3e3bfc4e2a5f00d12834d0172b6b35f7

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

                                                      Filesize

                                                      149KB

                                                      MD5

                                                      a6bb6fe314273a0ad8d75a5eb2547e00

                                                      SHA1

                                                      e7811e23349db8fd593ebc9b6deb7dcdc8c00cac

                                                      SHA256

                                                      a6c541c69f4795beb533fd03829ba38b4ad0e75d2ef910cb730dfa6916c2f92e

                                                      SHA512

                                                      b936bedb68f7801210e37aca93c405a14b29f1571d4fa66f73ca5d7f5367db32232e6e98ef018b07f3ef6b232fd968e953fcade6824015947166fa477e2c1491

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\doomed\10375

                                                      Filesize

                                                      14KB

                                                      MD5

                                                      f4aa9ce445854444b20dfa01859d885a

                                                      SHA1

                                                      54f9e9968ef2db2307a1d5f41719ab6ce200aaef

                                                      SHA256

                                                      90bdae7cd55b186dab67e53203900271ed6cf21e023ab6ab2a4f7754b0103707

                                                      SHA512

                                                      ea1baf8397f335f5803c90b5f22d5c4866032945bd4c4b66f3fa203794522e61fee80d32b6551db93a30a7b100ba21356105bc608b34382fc78dc6d05fc9facd

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\doomed\21673

                                                      Filesize

                                                      15KB

                                                      MD5

                                                      7870e935a853053fc35f07566408eb72

                                                      SHA1

                                                      d1457d076a7404b7bbe16600b1adf2d6e3ea6c73

                                                      SHA256

                                                      bcf3c27c7754c601ebe657f33e7f766c6b469450c376215f142f4e934f73d16e

                                                      SHA512

                                                      c2951096b2de957c407061ff5fec0cecf22fd7e27294de80b834c999a7c94d38d866211158da96b902c7be96e26927d510199e18a348ff5eeec34df415ebdc37

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A9D6D5BA392CDD19ADAD45FA50F5B7FE9C0472F6

                                                      Filesize

                                                      140KB

                                                      MD5

                                                      fe759d82fd1ba93137a47cfafa12e3ed

                                                      SHA1

                                                      d2ee62a27d6c93785ef096840bf5177f57c7dff1

                                                      SHA256

                                                      867a4fa7accdc2d57c321e5246b0bde87432d0545818019021e5594140d6b478

                                                      SHA512

                                                      81361d4e1960e681cf62db63e8c92aaab2c52a5cc9d4e2f08e509bb832ef3ec3bce9c83bff1010eb1897d69a38530c580c1cc3031cc085532bb3af71bd0d0f2f

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      955ba81718cbe7280245ee9bd5b623d5

                                                      SHA1

                                                      c4b1ef81b2c09a080823e545da8f14e9e891d708

                                                      SHA256

                                                      413028b462b8f3af578d4ee6db3baf6c6bee1fd306c2500dee83adeb24f89d2d

                                                      SHA512

                                                      d4a9e78178b81b8302d9a5aba28b43cb4026d92819aac5805dbd898d93b25008099df7a73ab7676da99897826b5dcea6c45c0fa0adedc058d7c877ec0a5d1927

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      6c88332781e383760ab779016cdb2be7

                                                      SHA1

                                                      714fab3d898d6477d826cd876e6cb7e279a71c32

                                                      SHA256

                                                      27fee15bca2568e83fcf656821cdcd8352a39b7b42860c7a836db79a00048ee4

                                                      SHA512

                                                      97223d2a882848c4fa5d4e503918724158ad024876f8ee5e507c193332c66530b7536fbb54090fbccc4780d10c667944720da79ba464e3dba10a2d2b491861c1

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      7796def92485289d20fbf43d78c8e3d8

                                                      SHA1

                                                      c73ed9f8e8ac57772be4190b2ecc035f77341cf4

                                                      SHA256

                                                      c8b3b837b49c2ec626386f86d1063260a13a6f62daa8172870d7531a8f0c8a98

                                                      SHA512

                                                      79db5fcb34cf2c1a991112ea000f5c01122f62a2a2b34491297f152ea88c5724eda79b77aae5200dfa6b9505d9e5bf4c28a3bfd3323ab6d17af9f928a5088316

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      f130e8222b71bc0fb3b0137203706633

                                                      SHA1

                                                      6adb51f5ebd8a316fd5e1a5243004c53d38ccae5

                                                      SHA256

                                                      69f95433c33cf7085d09752b014422c051d6b9ea70e1eb3686cbde2f1b7c4a66

                                                      SHA512

                                                      91ee20e6ab3732bb91a2554aa5cc6a8e5f775e2ee275ad450018fdc3188734326bbf18ae285ed38dcb9d0fe21928f6c0e92a6c1ed2258d4f2a3c51ecbd3bfcc9

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      bf606426e5b9b70fcfecb113b974e796

                                                      SHA1

                                                      d291af7b777e116dc9af7157f4af182d1b11205c

                                                      SHA256

                                                      7402ce1370d614436e13b44dc2a5b2096bb32a3beed76311105162f4c5277157

                                                      SHA512

                                                      30dc64b7662ba610f3cbc25c796f599c641678af229e7ded0006c9f35039fbf70682cdf395636580fdf5444ba17ba0bc058caebc9572d45404c850bcbc8e1571

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      f73e52d124620d05267ba934f3b312d3

                                                      SHA1

                                                      34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

                                                      SHA256

                                                      fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

                                                      SHA512

                                                      4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      3c10527a50d47998c87e6667cbbb8d68

                                                      SHA1

                                                      5339539f3dd3f54d6d9f2dffef19b79969eac2b6

                                                      SHA256

                                                      a7d7f4c0c1fc0e4bcefa841fbb009e074d92813e1135deecc3a611401553eb79

                                                      SHA512

                                                      737c66c602ab8c183e0291ae5414122c5e139aa62defed2c26f0351494af3fc1d22b023a280c5e074692d6ab186b70669568c65b4723465a3cfe6c3b9d571e85

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

                                                      Filesize

                                                      4KB

                                                      MD5

                                                      9e89c93e4eac4b22720e8c74996f1889

                                                      SHA1

                                                      94463d86ee1263875634d28b730082ae80736788

                                                      SHA256

                                                      97d9f614d5cc59030f1faeacaa8c5dd93aa070e44c55059adadf2b07fc1f3c17

                                                      SHA512

                                                      20b8054db9cdf37afbcaf260f6d4829d51b9bbfdfd0ec721a22a19caffa62189cd201ade8307bd347d99aedc845baa0e7e95de63b55bd6e2280a38d6aa537f89

                                                    • C:\Users\Admin\Downloads\winrar-x64-621.LMZvy9MY.exe.part

                                                      Filesize

                                                      3.4MB

                                                      MD5

                                                      766ac70b840c029689d3c065712cf46e

                                                      SHA1

                                                      e54f4628076d81b36de97b01c098a2e7ba123663

                                                      SHA256

                                                      06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

                                                      SHA512

                                                      49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

                                                    • C:\Users\Admin\Downloads\winrar-x64-621.exe

                                                      Filesize

                                                      3.4MB

                                                      MD5

                                                      766ac70b840c029689d3c065712cf46e

                                                      SHA1

                                                      e54f4628076d81b36de97b01c098a2e7ba123663

                                                      SHA256

                                                      06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

                                                      SHA512

                                                      49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

                                                    • C:\Users\Admin\Downloads\winrar-x64-621.exe

                                                      Filesize

                                                      3.4MB

                                                      MD5

                                                      766ac70b840c029689d3c065712cf46e

                                                      SHA1

                                                      e54f4628076d81b36de97b01c098a2e7ba123663

                                                      SHA256

                                                      06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

                                                      SHA512

                                                      49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

                                                    • memory/1252-270-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-263-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-731-0x0000020EB1C70000-0x0000020EB1E1E000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                    • memory/1252-818-0x0000020EB1C70000-0x0000020EB1E1E000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                    • memory/1252-266-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-240-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-246-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-269-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-347-0x0000020EB1C70000-0x0000020EB1E1E000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                    • memory/1252-271-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-265-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-264-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1252-247-0x0000020EB9270000-0x0000020EB9271000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1312-638-0x000000000A7B0000-0x000000000AA5B000-memory.dmp

                                                      Filesize

                                                      2.7MB

                                                    • memory/1312-639-0x000000000A7B0000-0x000000000A8FD000-memory.dmp

                                                      Filesize

                                                      1.3MB