Analysis
-
max time kernel
69s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 18:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1224456587133849751/1242518582731083836/gamesnus-fixed.rar?ex=664e211b&is=664ccf9b&hm=c011acce9872cfc56ebb131b1e696b4397d1d9fc60057d3a43462f7bde811eae&
Resource
win10v2004-20240508-en
General
-
Target
https://cdn.discordapp.com/attachments/1224456587133849751/1242518582731083836/gamesnus-fixed.rar?ex=664e211b&is=664ccf9b&hm=c011acce9872cfc56ebb131b1e696b4397d1d9fc60057d3a43462f7bde811eae&
Malware Config
Extracted
xworm
programme-garden.gl.at.ply.gg:42957
-
Install_directory
%ProgramData%
-
install_file
wemm.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wemm.exe family_xworm behavioral1/memory/2124-126-0x00000000004A0000-0x00000000004B6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2224 powershell.exe 5616 powershell.exe 5764 powershell.exe 6000 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gamesnus-fixed.exewemm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation gamesnus-fixed.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation wemm.exe -
Drops startup file 2 IoCs
Processes:
wemm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wemm.lnk wemm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wemm.lnk wemm.exe -
Executes dropped EXE 4 IoCs
Processes:
gamesnus-fixed.exegamesnus-fixed.exewemm.exegamesnus-fixed.exepid process 4308 gamesnus-fixed.exe 2096 gamesnus-fixed.exe 2124 wemm.exe 4064 gamesnus-fixed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wemm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wemm = "C:\\ProgramData\\wemm.exe" wemm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 56 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exegamesnus-fixed.exepowershell.exepowershell.exepowershell.exepowershell.exewemm.exegamesnus-fixed.exepid process 872 msedge.exe 872 msedge.exe 1448 msedge.exe 1448 msedge.exe 4020 identity_helper.exe 4020 identity_helper.exe 3904 msedge.exe 3904 msedge.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 4308 gamesnus-fixed.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 5616 powershell.exe 5616 powershell.exe 5616 powershell.exe 5764 powershell.exe 5764 powershell.exe 5764 powershell.exe 6000 powershell.exe 6000 powershell.exe 6000 powershell.exe 2124 wemm.exe 2124 wemm.exe 4064 gamesnus-fixed.exe 4064 gamesnus-fixed.exe 4064 gamesnus-fixed.exe 4064 gamesnus-fixed.exe 4064 gamesnus-fixed.exe 4064 gamesnus-fixed.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
7zG.exegamesnus-fixed.exewemm.exepowershell.exepowershell.exepowershell.exepowershell.exegamesnus-fixed.exedescription pid process Token: SeRestorePrivilege 6076 7zG.exe Token: 35 6076 7zG.exe Token: SeSecurityPrivilege 6076 7zG.exe Token: SeSecurityPrivilege 6076 7zG.exe Token: SeDebugPrivilege 4308 gamesnus-fixed.exe Token: SeDebugPrivilege 2124 wemm.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 5616 powershell.exe Token: SeDebugPrivilege 5764 powershell.exe Token: SeDebugPrivilege 6000 powershell.exe Token: SeDebugPrivilege 2124 wemm.exe Token: SeDebugPrivilege 4064 gamesnus-fixed.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exe7zG.exepid process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 6076 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wemm.exepid process 2124 wemm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1448 wrote to memory of 1216 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 1216 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3780 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 872 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 872 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3568 1448 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1224456587133849751/1242518582731083836/gamesnus-fixed.rar?ex=664e211b&is=664ccf9b&hm=c011acce9872cfc56ebb131b1e696b4397d1d9fc60057d3a43462f7bde811eae&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf58f46f8,0x7ffdf58f4708,0x7ffdf58f47182⤵PID:1216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:3780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:3568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:3376
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵PID:876
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:3104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3420 /prefetch:82⤵PID:816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:4840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:1440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵PID:5060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1592
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5868
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\gamesnus-fixed\" -spe -an -ai#7zMap59:90:7zEvent259701⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6076
-
C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe"C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\gamesnus-fixed.exe"C:\Users\Admin\AppData\Local\Temp\gamesnus-fixed.exe"2⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c color 5F3⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\wemm.exe"C:\Users\Admin\AppData\Local\Temp\wemm.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wemm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wemm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\wemm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wemm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6000 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wemm" /tr "C:\ProgramData\wemm.exe"3⤵
- Creates scheduled task(s)
PID:6056
-
C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe"C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gamesnus-fixed.exe.logFilesize
1KB
MD5bb6a89a9355baba2918bb7c32eca1c94
SHA1976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD540c0335d1c37631bc81eab656cff8edc
SHA14c0d92630c16fc88ba68c2d3facb410e6bdefcfd
SHA2563213def1ae063e26f79851926486e7081429580f309b25df18f765e7582395cc
SHA512072b61b8cdf317057eed5cd1a62d19627b379be1f0ff59905813e661fd74f78c54a72f72dca449b8f2a747ed80aa36543b9242f23a3d66fbf367b7e006c3aa65
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ab9d3d80bb2c538e48444531d9852d20
SHA1fc0295ac4a4b414ad60240d6bfe3a23a9e1966bd
SHA25652bc09ada83ee92606c82ee5ce61dc6210ac62b6c91a917d551aaf42de651742
SHA512c12d0ca32061d8b045b850562f8496d708b588be84024716d817087c54ff10b5ca12618520fee51856ff931528db580ea109774ee4bbeffff80e9785e2a15a8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD546ed559f3c4691c9069fe2e628f72e17
SHA138f32a194b95e5a15fe8bac5510d64a76cc5a5d4
SHA256a9f055f5ce5e3f17b7889c3b86766084b0edfdcfa8f6d3c47485b6aa480b4370
SHA5124c68345be98f19a2a9cd88535c124ab2267b253bfa78b09cc2ae653a677f014477759e2bd5a500f0f50a74f14ac83e4026138d48a3bbd72115d4ea105ef7c304
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d648924072666901d304cb7339c7fc5f
SHA158f1e180bc92a0de5bafefd4836d1da139a3effc
SHA2566f61ef6e44835b78234dc5b0fa0e6a22dbf2ca462da8310f3b9de983f19d7eb3
SHA5128a914f187a1aaa584db281a5f375c11eb6a373f72c1b47953545aac70db296ae68270b3baa6717019510061d47ed0f6fd72473919e8056dcb36c0612bdb14811
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fekdxvl5.lj0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\gamesnus-fixed.exeFilesize
159KB
MD53d3e59a445f716de310d2c2b09c2d235
SHA14e62578c1fec3b12d15c12a88b7b56980136f23e
SHA2563bd7bc7dcadce9331ad1d51cb865552f1d78d8a7474f847055a32f47fb2de86b
SHA5123effe7a7486743a48fd670cc8ff9b01b42bc8f1680c67cc004ec66cbeff87bf8a1ed2b4a1074bbac39e60fd591e27041cf8a10582bde250ac6d92b092fa5d197
-
C:\Users\Admin\AppData\Local\Temp\wemm.exeFilesize
65KB
MD56af459292b6149b3089fd2fd8600ce19
SHA146e3bed7822a490a97dd22a0f2eb41cebe5f8147
SHA256bbb58baaf7f3c5db1ed0a012262ab462659c0be8c4f62e26fae3e5677162069b
SHA5126d4859e51cc49e6b88ee0a1cd822c19d69dc848caf73440b148968f89abbe28c2ca0095f9906c546b8a4ae2e105b3e9ee60ba7accb122a5a5c51f805703b8bde
-
C:\Users\Admin\Downloads\gamesnus-fixed.rarFilesize
2.1MB
MD5939a9c2a6ac5006e6a5def761614bf6b
SHA156f73c53145bf11175f5a78c6d003e54f5118aa2
SHA25639f616e3c151dfa6005cdbe2fe29cc7919ed8f87c91526bf3dbd4769e6afa4b9
SHA512f5112d3300b8b649ca81eb06c84d72434d702f112ac962799976169f0411c6e00e6018952504fadfb121c84a98563d9a13a958f70561c4bdb14583a8ef9bb5ce
-
C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exeFilesize
408KB
MD5a1ff0c0cadbc22d30193655a32f0e08c
SHA1e26691e4882885f1cd43e76cb816ed2921397b8a
SHA2565e29180ee083c9f393566e43050d941f353edeccb1f4d3b1c21389bdda2f80e6
SHA51244e9fed11888e00e765cf3163fddd6074b0e35cba52a9434a9ffd168cd42565db24d8eb4b8df821afd1fa0949dd293107ba6c99de2b1a5f25650507bff43b497
-
\??\pipe\LOCAL\crashpad_1448_NTKYNGPFSLDTBWDDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2124-126-0x00000000004A0000-0x00000000004B6000-memory.dmpFilesize
88KB
-
memory/2224-129-0x00000214FF3F0000-0x00000214FF412000-memory.dmpFilesize
136KB
-
memory/4308-103-0x00000000008C0000-0x000000000092C000-memory.dmpFilesize
432KB