Overview
overview
8Static
static
3ArenaWarSetup.exe
windows7-x64
7ArenaWarSetup.exe
windows10-2004-x64
8$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3ArenaWars.exe
windows7-x64
1ArenaWars.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/af.ps1
windows7-x64
3locales/af.ps1
windows10-2004-x64
3locales/uk.ps1
windows7-x64
3locales/uk.ps1
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...ec.dll
windows7-x64
3Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:24
Static task
static1
Behavioral task
behavioral1
Sample
ArenaWarSetup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ArenaWarSetup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
ArenaWars.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
ArenaWars.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
locales/af.ps1
Resource
win7-20240419-en
Behavioral task
behavioral23
Sample
locales/af.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
locales/uk.ps1
Resource
win7-20240611-en
Behavioral task
behavioral25
Sample
locales/uk.ps1
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
resources/elevate.exe
Resource
win7-20231129-en
Behavioral task
behavioral27
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240611-en
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
General
-
Target
ArenaWars.exe
-
Size
154.7MB
-
MD5
ae49988c16a8e1d90e02444944b474a3
-
SHA1
fc78cef1c93e514a32bfe414757c244f5532926a
-
SHA256
42032e3e489e28cd88b48e500d2049cb64fe019decfa189cfaa4cd9d0199c9b3
-
SHA512
9e2e91397c7cea30d2f3669c32c39be3da475561ea4d3140c454acd29108e26148b7c7467742052d371c6c6928c3113c33ea331ffeb1aff1cef3581889fb5956
-
SSDEEP
1572864:8Tmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Xv6E70+Mk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ArenaWars.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ArenaWars.exe -
Loads dropped DLL 1 IoCs
Processes:
ArenaWars.exepid Process 2776 ArenaWars.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid Process 1188 cmd.exe 3756 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 3740 tasklist.exe 1028 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exeArenaWars.exeArenaWars.exepid Process 3980 powershell.exe 3980 powershell.exe 1116 powershell.exe 1116 powershell.exe 1140 powershell.exe 1140 powershell.exe 3232 ArenaWars.exe 3232 ArenaWars.exe 3852 ArenaWars.exe 3852 ArenaWars.exe 3852 ArenaWars.exe 3852 ArenaWars.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exepowershell.exetasklist.exepowershell.exepowershell.exeArenaWars.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 3740 tasklist.exe Token: SeDebugPrivilege 3980 powershell.exe Token: SeDebugPrivilege 1028 tasklist.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeShutdownPrivilege 2776 ArenaWars.exe Token: SeCreatePagefilePrivilege 2776 ArenaWars.exe Token: SeIncreaseQuotaPrivilege 2504 WMIC.exe Token: SeSecurityPrivilege 2504 WMIC.exe Token: SeTakeOwnershipPrivilege 2504 WMIC.exe Token: SeLoadDriverPrivilege 2504 WMIC.exe Token: SeSystemProfilePrivilege 2504 WMIC.exe Token: SeSystemtimePrivilege 2504 WMIC.exe Token: SeProfSingleProcessPrivilege 2504 WMIC.exe Token: SeIncBasePriorityPrivilege 2504 WMIC.exe Token: SeCreatePagefilePrivilege 2504 WMIC.exe Token: SeBackupPrivilege 2504 WMIC.exe Token: SeRestorePrivilege 2504 WMIC.exe Token: SeShutdownPrivilege 2504 WMIC.exe Token: SeDebugPrivilege 2504 WMIC.exe Token: SeSystemEnvironmentPrivilege 2504 WMIC.exe Token: SeRemoteShutdownPrivilege 2504 WMIC.exe Token: SeUndockPrivilege 2504 WMIC.exe Token: SeManageVolumePrivilege 2504 WMIC.exe Token: 33 2504 WMIC.exe Token: 34 2504 WMIC.exe Token: 35 2504 WMIC.exe Token: 36 2504 WMIC.exe Token: SeIncreaseQuotaPrivilege 2504 WMIC.exe Token: SeSecurityPrivilege 2504 WMIC.exe Token: SeTakeOwnershipPrivilege 2504 WMIC.exe Token: SeLoadDriverPrivilege 2504 WMIC.exe Token: SeSystemProfilePrivilege 2504 WMIC.exe Token: SeSystemtimePrivilege 2504 WMIC.exe Token: SeProfSingleProcessPrivilege 2504 WMIC.exe Token: SeIncBasePriorityPrivilege 2504 WMIC.exe Token: SeCreatePagefilePrivilege 2504 WMIC.exe Token: SeBackupPrivilege 2504 WMIC.exe Token: SeRestorePrivilege 2504 WMIC.exe Token: SeShutdownPrivilege 2504 WMIC.exe Token: SeDebugPrivilege 2504 WMIC.exe Token: SeSystemEnvironmentPrivilege 2504 WMIC.exe Token: SeRemoteShutdownPrivilege 2504 WMIC.exe Token: SeUndockPrivilege 2504 WMIC.exe Token: SeManageVolumePrivilege 2504 WMIC.exe Token: 33 2504 WMIC.exe Token: 34 2504 WMIC.exe Token: 35 2504 WMIC.exe Token: 36 2504 WMIC.exe Token: SeIncreaseQuotaPrivilege 2236 WMIC.exe Token: SeSecurityPrivilege 2236 WMIC.exe Token: SeTakeOwnershipPrivilege 2236 WMIC.exe Token: SeLoadDriverPrivilege 2236 WMIC.exe Token: SeSystemProfilePrivilege 2236 WMIC.exe Token: SeSystemtimePrivilege 2236 WMIC.exe Token: SeProfSingleProcessPrivilege 2236 WMIC.exe Token: SeIncBasePriorityPrivilege 2236 WMIC.exe Token: SeCreatePagefilePrivilege 2236 WMIC.exe Token: SeBackupPrivilege 2236 WMIC.exe Token: SeRestorePrivilege 2236 WMIC.exe Token: SeShutdownPrivilege 2236 WMIC.exe Token: SeDebugPrivilege 2236 WMIC.exe Token: SeSystemEnvironmentPrivilege 2236 WMIC.exe Token: SeRemoteShutdownPrivilege 2236 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ArenaWars.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2776 wrote to memory of 224 2776 ArenaWars.exe 82 PID 2776 wrote to memory of 224 2776 ArenaWars.exe 82 PID 2776 wrote to memory of 552 2776 ArenaWars.exe 84 PID 2776 wrote to memory of 552 2776 ArenaWars.exe 84 PID 224 wrote to memory of 3980 224 cmd.exe 86 PID 224 wrote to memory of 3980 224 cmd.exe 86 PID 552 wrote to memory of 3740 552 cmd.exe 87 PID 552 wrote to memory of 3740 552 cmd.exe 87 PID 2776 wrote to memory of 3248 2776 ArenaWars.exe 89 PID 2776 wrote to memory of 3248 2776 ArenaWars.exe 89 PID 2776 wrote to memory of 1188 2776 ArenaWars.exe 90 PID 2776 wrote to memory of 1188 2776 ArenaWars.exe 90 PID 3248 wrote to memory of 1028 3248 cmd.exe 93 PID 3248 wrote to memory of 1028 3248 cmd.exe 93 PID 1188 wrote to memory of 1116 1188 cmd.exe 94 PID 1188 wrote to memory of 1116 1188 cmd.exe 94 PID 2776 wrote to memory of 3756 2776 ArenaWars.exe 95 PID 2776 wrote to memory of 3756 2776 ArenaWars.exe 95 PID 3756 wrote to memory of 1140 3756 cmd.exe 97 PID 3756 wrote to memory of 1140 3756 cmd.exe 97 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4852 2776 ArenaWars.exe 98 PID 2776 wrote to memory of 4324 2776 ArenaWars.exe 99 PID 2776 wrote to memory of 4324 2776 ArenaWars.exe 99 PID 2776 wrote to memory of 3232 2776 ArenaWars.exe 100 PID 2776 wrote to memory of 3232 2776 ArenaWars.exe 100 PID 4324 wrote to memory of 2504 4324 cmd.exe 102 PID 4324 wrote to memory of 2504 4324 cmd.exe 102 PID 2776 wrote to memory of 3600 2776 ArenaWars.exe 103 PID 2776 wrote to memory of 3600 2776 ArenaWars.exe 103 PID 3600 wrote to memory of 2236 3600 cmd.exe 105 PID 3600 wrote to memory of 2236 3600 cmd.exe 105 PID 2776 wrote to memory of 5112 2776 ArenaWars.exe 106 PID 2776 wrote to memory of 5112 2776 ArenaWars.exe 106 PID 5112 wrote to memory of 3696 5112 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe"C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
-
C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe"C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ArenaWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 --field-trial-handle=1896,i,7221427735714181735,6932212594513706117,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
-
C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe"C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ArenaWars" --mojo-platform-channel-handle=2120 --field-trial-handle=1896,i,7221427735714181735,6932212594513706117,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"2⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get Product3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"2⤵PID:640
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get SerialNumber3⤵PID:2148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"2⤵PID:4352
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption3⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"2⤵PID:1856
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get TotalPhysicalMemory3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"2⤵PID:4380
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption,PNPDeviceID3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"2⤵PID:1068
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:3040
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe"C:\Users\Admin\AppData\Local\Temp\ArenaWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ArenaWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2520 --field-trial-handle=1896,i,7221427735714181735,6932212594513706117,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD58e26941f21dac5843c6d170e536afccb
SHA126b9ebd7bf3ed13bc51874ba06151850a0dac7db
SHA256316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0
SHA5129148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62
-
Filesize
477B
MD564995a6c323f8d5e2f412b4fafc6a189
SHA19c70063d77552ab6c4fead9b3547dbd7931d1d86
SHA256fc727f89e4e7f7b6031c3b7810f283e8c5aad78de720792dc58fefb6af3f5778
SHA51299ad5a1e6a46f0da3b6e63ab40e51b9fe4d518ea901f1651ef20b063ac0c65bc29493754197877d94293ff4b099a0c6a17d9acab75f96c3947234d7afe172ddd
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
14B
MD5b4b41665eb819824e886204a28cc610b
SHA1e778edb6f635f665c0b512748b8fec6a2a23a88b
SHA256635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6
SHA51237648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33