Analysis
-
max time kernel
116s -
max time network
123s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
13-07-2023 18:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/dfk9lsa/gamesense-skeet-crack
Resource
win10-20230703-en
General
-
Target
https://github.com/dfk9lsa/gamesense-skeet-crack
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/988860387116056626/qGMU_xCcvq7I337gTLsPXC3czlwl9dSVfB2QUWYPAbg5aeuREHjAQCmrMIBwrQMrVWt4
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
Processes:
gamesense.pub.exegamesense.pub.exegamesense.pub.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions gamesense.pub.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions gamesense.pub.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions gamesense.pub.exe -
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
Processes:
gamesense.pub.exegamesense.pub.exegamesense.pub.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools gamesense.pub.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools gamesense.pub.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools gamesense.pub.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
gamesense.pub.exegamesense.pub.exegamesense.pub.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gamesense.pub.exe -
Executes dropped EXE 3 IoCs
Processes:
gamesense.pub.exegamesense.pub.exegamesense.pub.exepid process 2980 gamesense.pub.exe 4380 gamesense.pub.exe 2228 gamesense.pub.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 ip4.seeip.org 53 ip4.seeip.org 61 ip4.seeip.org 62 ip4.seeip.org 37 ip4.seeip.org 38 ip4.seeip.org 40 ip4.seeip.org 41 ip-api.com -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
gamesense.pub.exegamesense.pub.exegamesense.pub.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum gamesense.pub.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 gamesense.pub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum gamesense.pub.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 gamesense.pub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum gamesense.pub.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 gamesense.pub.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4272 2980 WerFault.exe gamesense.pub.exe 4424 4380 WerFault.exe gamesense.pub.exe 3896 2228 WerFault.exe gamesense.pub.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
gamesense.pub.exegamesense.pub.exegamesense.pub.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S gamesense.pub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S gamesense.pub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S gamesense.pub.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
chrome.exegamesense.pub.exegamesense.pub.exegamesense.pub.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer gamesense.pub.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation gamesense.pub.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 gamesense.pub.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133337478558511884" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 2692 chrome.exe 2692 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 2692 chrome.exe 2692 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe Token: SeShutdownPrivilege 2692 chrome.exe Token: SeCreatePagefilePrivilege 2692 chrome.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
chrome.exe7zG.exepid process 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 3744 7zG.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
chrome.exepid process 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe 2692 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2692 wrote to memory of 4780 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 4780 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 3012 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2612 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2612 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe PID 2692 wrote to memory of 2676 2692 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/dfk9lsa/gamesense-skeet-crack1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffebc729758,0x7ffebc729768,0x7ffebc7297782⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:82⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:22⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:82⤵PID:2676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:12⤵PID:2680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:12⤵PID:936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:82⤵PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:82⤵PID:384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:82⤵PID:1612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1752,i,7740587660950727256,7854745794152826419,131072 /prefetch:82⤵PID:1964
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2928
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\gamesense-skeet-crack-main\" -ad -an -ai#7zMap4531:110:7zEvent257301⤵
- Suspicious use of FindShellTrayWindow
PID:3744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3052
-
C:\Users\Admin\Desktop\gamesense-skeet-crack-main\gamesense-skeet-crack-main\gamesense.pub.exe"C:\Users\Admin\Desktop\gamesense-skeet-crack-main\gamesense-skeet-crack-main\gamesense.pub.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2980 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2980 -s 20242⤵
- Program crash
PID:4272
-
-
C:\Users\Admin\Desktop\gamesense-skeet-crack-main\gamesense-skeet-crack-main\gamesense.pub.exe"C:\Users\Admin\Desktop\gamesense-skeet-crack-main\gamesense-skeet-crack-main\gamesense.pub.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4380 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4380 -s 7522⤵
- Program crash
PID:4424
-
-
C:\Users\Admin\Desktop\gamesense-skeet-crack-main\gamesense-skeet-crack-main\gamesense.pub.exe"C:\Users\Admin\Desktop\gamesense-skeet-crack-main\gamesense-skeet-crack-main\gamesense.pub.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2228 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2228 -s 23842⤵
- Program crash
PID:3896
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD572dbfccfed84b16b2fd481b5752552d5
SHA1220b1df052688c6b74a20f02136afcac4f4c6040
SHA2565c610c207ef19f3aedc97cfdf032fbd710852b434223efa7c38e736dd0b348bc
SHA5126acaf0c6b28f5074e2a0ec297487287a5b56758640cad884d297aa5564e20ad8393c73294b433059d6ff92636771db746dd52f6eee1b99e615e36e84fdd8970c
-
Filesize
2KB
MD557cbb922db68075baf3ed9fa2b2b026d
SHA1192391471bd2d90c406df78178d01d526d945e55
SHA256fd792d224a70e93fe88329e4416421a50173cacb824e5b29caf70a0f158e92bf
SHA512574602c925ec2690566597a95cc3431350c76ffb069dc47dfc92cdad8b30fde8944067932e526a9d9794a79579da5162adfd316273ed774965ea999481c0a1e3
-
Filesize
1KB
MD5393ee0e319ad164340ec80fa1bebc951
SHA1eea16f0a63c271a2ab2f5fb982553fe4391dff40
SHA25684ff2da32348b33bccb2d91926d912d2f829527336f2691940c0f979f602d52f
SHA512a743f071842ba7b5f56ab211ce22306f458b8ac128464739d62a8156a81f76a05105e7e7d3f2cc803b6fb115da37087aa4d9e0fe1c3ffdb52a27344ddd9665c9
-
Filesize
1KB
MD52d27d5936abe4e4b4203fedca799a2cc
SHA1b23eea19141ef2da8fe8371c2d4ef7a32024d1b9
SHA256cd5d449e5d2891989dc35a7569e6c38fa1b2891799d1986bc7361400858427fe
SHA512b9d26e24215d77183e5c4f8064c07e97ff65f8c244c35e251164580e7de480ad5b4d39deaae1b001a5db817d0b5d3ff9e1cd0be2aea1af14cbe3f7b28ad46f30
-
Filesize
1KB
MD510569069b282f701ee3ef9cb5f43e7d3
SHA170d1e04344ffda2b96bdc14029cca427d713f817
SHA2569ae8744a0cf093569a1fee73199f8322680bd84d6602328a212a26ac47e3d646
SHA512cb9875f19d1d17b9bd8407aab4c13507395766ba58a8e4498202d53dafb947bba84c3336565db1a50358f5ce81dd24e00ced1c7503607f5a1b7f1fb4398bfecd
-
Filesize
6KB
MD5695eae9a6f91a37312671493ccfee38b
SHA1cce8e89f8e601614b50f377eded7918d52390627
SHA2563debe9324e4a352eed85c9a583b898c5d65a07d3cfd3fbb7dee20d71cc8af870
SHA51275ce89b9959483c5beaa082befbfa5917aa74bc5f3d078c7554f7c8b0f79396df79056bbd2a3d87b09e2ff30a37f80b6d388459a52c67726149d98c53d8500c7
-
Filesize
5KB
MD5f13726d7a434ba2f4a7d5b5f7491eb5e
SHA1ef8b714b72a7c5c209b582ffa69d6d92fb223dd9
SHA2567348672369e94b25143cf8657713227941e1b1ed98f315a0c01511957091794e
SHA5120d0d2127a5796eba083bd9d39fdaa5437a7cae1491471b850006c667d4b1e0e39e2d0579ce7bd168decccfff642fc64f62421fbb04669be853c3bce9d6df7557
-
Filesize
6KB
MD5a61e80298adb854033ec23db8c120701
SHA1c8c1096c4ce291f9f1fb8afb5c2d9af39bfc0b66
SHA25635ac75f3395d9d0b8532399aec872a9008736617113d804a6eeb2ea6a2f4d040
SHA5122cf599233a3f5336c33040bdee0d70012c99749580e63f67d8fc21c79fd0052a00bb363650e9387278bc179fdfe3e1141ff1791251f38ebea490ed86be438002
-
Filesize
5KB
MD5fc52481dec35ee0624d54a7c3c068dff
SHA121de8989c44a5b0e17a14f7137af0bf057ad8847
SHA256959f5578c4d23f102da9ec0185d3c7df8571491e17a8833ec2940b39d0b4c145
SHA512ca6ff02a54a919361a9fff235583b12f0fd012f21b4b493be9390e8ee897e1b3309a641639755544e294dda61a07b8f68ae40ee633905f92779f03ddc8b7208a
-
Filesize
87KB
MD593b3a432107e469b120f153972d086af
SHA1b92b6d058acd136969f9af4e58a49d8805b28c0c
SHA256aaed89981166331d72e15ca63af2a244e581ed80c9c55a12c5ca34d32047a809
SHA512f19edecfb50a69a805f0f758911678fe5a699f59e137db536472a65fa0c07348e2a83d4eb699993175634e570ec0adfe15ed46a2995c574d27a1ffaf6e760166
-
Filesize
101KB
MD5bf971a95bcd1433a6b9bfe012e002927
SHA1833083774671914863ed58319a50568866bb1e81
SHA25650c8c4a02a9ce80ad66a1560f4f933c35af94d5efb0162f764c6748dae5bf3dc
SHA512fe0e3daff154e72288edd9173652e93d48e6612be2a3beed4137aa1ee4fef13d744ec31f423e79f18ec62f040630b0e42b5637e24e3ae29d1fcb4d9c4e8575e4
-
Filesize
93KB
MD5da52ba35426e37a3422dfa0f969b2171
SHA1f61032b7639c72ccd57ccd79a12a2099c9d03f21
SHA256242b0b3973a50d9ed198c7c81d6148396442eaee602423cb247999bbd2c401de
SHA512a4da755c2a34d0f5bf20653865cc264c49a8d39f4a933cae4ae98bd8d4064e22b3d185ceda706f75f509c291a9ca1f35b559bb1b6d31b708597c94cb5b4c687f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
42KB
MD563ebbaeec8841811bd9fac6921e329f9
SHA135120cd7f882f6598c9d575d3784322ad89b0f11
SHA2569144209e3c8d2c05172343853f4f8a5ab8898bae08e1bc21b79bbacb4f7eefa5
SHA512b6b34380d8f7506e6401662c1333e00b29fcc792f6f752faad0c343b15757087d3e4c40a8dce6d26d363fdec1e14c97e4d31c95045acd9e1b7d0cbc4b18f3f22
-
Filesize
42KB
MD563ebbaeec8841811bd9fac6921e329f9
SHA135120cd7f882f6598c9d575d3784322ad89b0f11
SHA2569144209e3c8d2c05172343853f4f8a5ab8898bae08e1bc21b79bbacb4f7eefa5
SHA512b6b34380d8f7506e6401662c1333e00b29fcc792f6f752faad0c343b15757087d3e4c40a8dce6d26d363fdec1e14c97e4d31c95045acd9e1b7d0cbc4b18f3f22
-
Filesize
42KB
MD563ebbaeec8841811bd9fac6921e329f9
SHA135120cd7f882f6598c9d575d3784322ad89b0f11
SHA2569144209e3c8d2c05172343853f4f8a5ab8898bae08e1bc21b79bbacb4f7eefa5
SHA512b6b34380d8f7506e6401662c1333e00b29fcc792f6f752faad0c343b15757087d3e4c40a8dce6d26d363fdec1e14c97e4d31c95045acd9e1b7d0cbc4b18f3f22
-
Filesize
42KB
MD563ebbaeec8841811bd9fac6921e329f9
SHA135120cd7f882f6598c9d575d3784322ad89b0f11
SHA2569144209e3c8d2c05172343853f4f8a5ab8898bae08e1bc21b79bbacb4f7eefa5
SHA512b6b34380d8f7506e6401662c1333e00b29fcc792f6f752faad0c343b15757087d3e4c40a8dce6d26d363fdec1e14c97e4d31c95045acd9e1b7d0cbc4b18f3f22
-
Filesize
18KB
MD507e2be7c190bf3faa0159a859272e7d9
SHA10251eecf555e2fa2da47edca6cba2ac6054e43c4
SHA256e94416d71da755f9183a9bdedce636540c119b60cdaa20624cf8e962513be91f
SHA512256a2cc81b654bfd12e4bb83e2a8a05a899468f9dde20f582e4a8086b55f43a941aa79452413b3b937b961375c9a7270606019d9d54e4c0aacf0adb880979760
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e