Analysis
-
max time kernel
83s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 03:18
Behavioral task
behavioral1
Sample
W4LL3NG - Neo Games.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
W4LL3NG - Neo Games.rar
Resource
win10v2004-20230220-en
General
-
Target
W4LL3NG - Neo Games.rar
-
Size
231.0MB
-
MD5
b93ed386ccbf9c58a36e10ed5e32332f
-
SHA1
5edadb2ee92386a9b6e8b256b141fb65852f2457
-
SHA256
ab9af0639c182ec3720b0574ace5b13cad7318b6cba86eb79864d2888cebe59a
-
SHA512
ac92816202b4efa7b8767625bdc6d8fed9cb15515bf3adf8a2f3a4f8e82a8047ba9782155733cb7a44dc4fe1c40a6ba4d511acbd83553d9fc1517767911804e0
-
SSDEEP
6291456:XXt8fCQzNGlPjrxqZgrOoNdPayQaKaJTUppHd9RkRFTEvoblr:HGaJuC7oaNOppHdPkRFYQlr
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.rar\ = "rar_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell\Read\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.rar OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4496 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1252 taskmgr.exe Token: SeSystemProfilePrivilege 1252 taskmgr.exe Token: SeCreateGlobalPrivilege 1252 taskmgr.exe Token: SeDebugPrivilege 3240 firefox.exe Token: SeDebugPrivilege 3240 firefox.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3240 firefox.exe 3240 firefox.exe 3240 firefox.exe 3240 firefox.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 3240 firefox.exe 3240 firefox.exe 3240 firefox.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe 1252 taskmgr.exe -
Suspicious use of SetWindowsHookEx 34 IoCs
pid Process 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 4496 OpenWith.exe 1312 AcroRd32.exe 1312 AcroRd32.exe 1312 AcroRd32.exe 1312 AcroRd32.exe 3240 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4496 wrote to memory of 1312 4496 OpenWith.exe 93 PID 4496 wrote to memory of 1312 4496 OpenWith.exe 93 PID 4496 wrote to memory of 1312 4496 OpenWith.exe 93 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 2164 wrote to memory of 3240 2164 firefox.exe 97 PID 3240 wrote to memory of 2912 3240 firefox.exe 98 PID 3240 wrote to memory of 2912 3240 firefox.exe 98 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 PID 3240 wrote to memory of 1408 3240 firefox.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\W4LL3NG - Neo Games.rar"1⤵
- Modifies registry class
PID:1500
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\W4LL3NG - Neo Games.rar"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1312 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:3648
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F882B54E32E3BED6F36A3B953CE293ED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F882B54E32E3BED6F36A3B953CE293ED --renderer-client-id=2 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job /prefetch:14⤵PID:924
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40AFD539211B5AE49409FDB165EF2043 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2020
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B2152F22B5D0C5DCCDCE341972CE007E --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:5488
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27312E854C0714AC060DB6A765175FD0 --mojo-platform-channel-handle=2028 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:5584
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=016196BBED9349846447EDDDF2DFF649 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:5784
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5B2F5563F86FC18193461A5330697A85 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5B2F5563F86FC18193461A5330697A85 --renderer-client-id=8 --mojo-platform-channel-handle=2388 --allow-no-sandbox-job /prefetch:14⤵PID:5372
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:4724
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.1650326685\79113616" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc8d939e-a628-494d-bf83-e902da6f5ce0} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1932 1c317dece58 gpu3⤵PID:2912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.1.1210432800\1029477723" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {957f9286-0833-45d3-9333-8ead40626429} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2332 1c30ae71f58 socket3⤵PID:1408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.2.859440627\1259007722" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3144 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e681a34-2207-4db1-8b88-575473e55e37} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 3112 1c31b9f2b58 tab3⤵PID:5064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.3.209428393\1520786065" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 1136 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f75fd3a5-3cf4-4cc6-9b8a-0c1534f66ec5} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1092 1c30ae65658 tab3⤵PID:1496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.4.61101957\961433198" -childID 3 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2a0f3a6-7d2a-4842-9393-57e2341c3710} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4184 1c30ae5e558 tab3⤵PID:4788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.5.1512955805\1085645441" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 4892 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c3d80fd-6351-4a41-9e0f-31c6a4a78ee9} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5040 1c31c99a658 tab3⤵PID:4984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.7.202131136\966109529" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5060 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e6a02c-f1d2-4e81-90a2-321931a384cf} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5248 1c31e379858 tab3⤵PID:3460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.28654518\1034446093" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 4924 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d461424a-7613-4385-b8bf-e16d7a6d6ea0} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1652 1c31e37a758 tab3⤵PID:5072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.8.752083896\615301939" -childID 7 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68650ff3-41b2-48b3-88a1-1f92a8a73b9c} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5712 1c31955a458 tab3⤵PID:5196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.9.835155111\1781412236" -childID 8 -isForBrowser -prefsHandle 2776 -prefMapHandle 4876 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f7e8f31-0e95-4f39-a8c0-0b47edb67f31} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4632 1c31a8b6558 tab3⤵PID:5604
-
-
C:\Users\Admin\Downloads\winrar-x64-621.exe"C:\Users\Admin\Downloads\winrar-x64-621.exe"3⤵PID:5536
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup4⤵PID:1612
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5168
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5e51d9ff73c65b76ccd7cd09aeea99c3c
SHA1d4789310e9b7a4628154f21af9803e88e89e9b1b
SHA2567456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd
SHA51257ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c
-
Filesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
Filesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
Filesize
103KB
MD54c88a040b31c4d144b44b0dc68fb2cc8
SHA1bf473f5a5d3d8be6e5870a398212450580f8b37b
SHA2566f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8
SHA512e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8
-
Filesize
317KB
MD5381eae01a2241b8a4738b3c64649fbc0
SHA1cc5944fde68ed622ebee2da9412534e5a44a7c9a
SHA256ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e
SHA512f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88
-
Filesize
2.4MB
MD546d15a70619d5e68415c8f22d5c81555
SHA112ec96e89b0fd38c469546042e30452b070e337f
SHA2562e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781
SHA51209446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb
-
Filesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5cb590963d70debcf6243f2ec740b3fe9
SHA172bafecfa71f8f0937c5ecd584a7ebe845bfb9ba
SHA2569df8f8e7b62d54bd6d82ccce7a67b1ad757fdb64d2ac3a9676c24052d8a63f71
SHA512d1ecafbbed7fc066be7ad5faa01ce48d29f5de369b07dd5395b42fa65ad073b252a981cb8968caa1638849267e7d91ff3e3bfc4e2a5f00d12834d0172b6b35f7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
Filesize149KB
MD5a6bb6fe314273a0ad8d75a5eb2547e00
SHA1e7811e23349db8fd593ebc9b6deb7dcdc8c00cac
SHA256a6c541c69f4795beb533fd03829ba38b4ad0e75d2ef910cb730dfa6916c2f92e
SHA512b936bedb68f7801210e37aca93c405a14b29f1571d4fa66f73ca5d7f5367db32232e6e98ef018b07f3ef6b232fd968e953fcade6824015947166fa477e2c1491
-
Filesize
14KB
MD5f4aa9ce445854444b20dfa01859d885a
SHA154f9e9968ef2db2307a1d5f41719ab6ce200aaef
SHA25690bdae7cd55b186dab67e53203900271ed6cf21e023ab6ab2a4f7754b0103707
SHA512ea1baf8397f335f5803c90b5f22d5c4866032945bd4c4b66f3fa203794522e61fee80d32b6551db93a30a7b100ba21356105bc608b34382fc78dc6d05fc9facd
-
Filesize
15KB
MD57870e935a853053fc35f07566408eb72
SHA1d1457d076a7404b7bbe16600b1adf2d6e3ea6c73
SHA256bcf3c27c7754c601ebe657f33e7f766c6b469450c376215f142f4e934f73d16e
SHA512c2951096b2de957c407061ff5fec0cecf22fd7e27294de80b834c999a7c94d38d866211158da96b902c7be96e26927d510199e18a348ff5eeec34df415ebdc37
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A9D6D5BA392CDD19ADAD45FA50F5B7FE9C0472F6
Filesize140KB
MD5fe759d82fd1ba93137a47cfafa12e3ed
SHA1d2ee62a27d6c93785ef096840bf5177f57c7dff1
SHA256867a4fa7accdc2d57c321e5246b0bde87432d0545818019021e5594140d6b478
SHA51281361d4e1960e681cf62db63e8c92aaab2c52a5cc9d4e2f08e509bb832ef3ec3bce9c83bff1010eb1897d69a38530c580c1cc3031cc085532bb3af71bd0d0f2f
-
Filesize
6KB
MD5955ba81718cbe7280245ee9bd5b623d5
SHA1c4b1ef81b2c09a080823e545da8f14e9e891d708
SHA256413028b462b8f3af578d4ee6db3baf6c6bee1fd306c2500dee83adeb24f89d2d
SHA512d4a9e78178b81b8302d9a5aba28b43cb4026d92819aac5805dbd898d93b25008099df7a73ab7676da99897826b5dcea6c45c0fa0adedc058d7c877ec0a5d1927
-
Filesize
6KB
MD56c88332781e383760ab779016cdb2be7
SHA1714fab3d898d6477d826cd876e6cb7e279a71c32
SHA25627fee15bca2568e83fcf656821cdcd8352a39b7b42860c7a836db79a00048ee4
SHA51297223d2a882848c4fa5d4e503918724158ad024876f8ee5e507c193332c66530b7536fbb54090fbccc4780d10c667944720da79ba464e3dba10a2d2b491861c1
-
Filesize
7KB
MD57796def92485289d20fbf43d78c8e3d8
SHA1c73ed9f8e8ac57772be4190b2ecc035f77341cf4
SHA256c8b3b837b49c2ec626386f86d1063260a13a6f62daa8172870d7531a8f0c8a98
SHA51279db5fcb34cf2c1a991112ea000f5c01122f62a2a2b34491297f152ea88c5724eda79b77aae5200dfa6b9505d9e5bf4c28a3bfd3323ab6d17af9f928a5088316
-
Filesize
7KB
MD5f130e8222b71bc0fb3b0137203706633
SHA16adb51f5ebd8a316fd5e1a5243004c53d38ccae5
SHA25669f95433c33cf7085d09752b014422c051d6b9ea70e1eb3686cbde2f1b7c4a66
SHA51291ee20e6ab3732bb91a2554aa5cc6a8e5f775e2ee275ad450018fdc3188734326bbf18ae285ed38dcb9d0fe21928f6c0e92a6c1ed2258d4f2a3c51ecbd3bfcc9
-
Filesize
6KB
MD5bf606426e5b9b70fcfecb113b974e796
SHA1d291af7b777e116dc9af7157f4af182d1b11205c
SHA2567402ce1370d614436e13b44dc2a5b2096bb32a3beed76311105162f4c5277157
SHA51230dc64b7662ba610f3cbc25c796f599c641678af229e7ded0006c9f35039fbf70682cdf395636580fdf5444ba17ba0bc058caebc9572d45404c850bcbc8e1571
-
Filesize
6KB
MD5f73e52d124620d05267ba934f3b312d3
SHA134121aa291d9f88b3e8e3a2fa37cb1c06cac2d30
SHA256fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7
SHA5124ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD53c10527a50d47998c87e6667cbbb8d68
SHA15339539f3dd3f54d6d9f2dffef19b79969eac2b6
SHA256a7d7f4c0c1fc0e4bcefa841fbb009e074d92813e1135deecc3a611401553eb79
SHA512737c66c602ab8c183e0291ae5414122c5e139aa62defed2c26f0351494af3fc1d22b023a280c5e074692d6ab186b70669568c65b4723465a3cfe6c3b9d571e85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59e89c93e4eac4b22720e8c74996f1889
SHA194463d86ee1263875634d28b730082ae80736788
SHA25697d9f614d5cc59030f1faeacaa8c5dd93aa070e44c55059adadf2b07fc1f3c17
SHA51220b8054db9cdf37afbcaf260f6d4829d51b9bbfdfd0ec721a22a19caffa62189cd201ade8307bd347d99aedc845baa0e7e95de63b55bd6e2280a38d6aa537f89
-
Filesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
Filesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
Filesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608