6044b114b35a47e066a4abd1d87e01463e1e441afa8d2e436c652e2602d6ee9a

Resubmissions

16-07-2024 12:36

240716-ps1mhswamh 7

16-07-2024 01:37

240716-b2cedsyhjn 7

16-07-2024 00:50

240716-a64h1azfkb 8

Analysis

max time kernel
1430s
max time network
1154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WorldWars.exe
Size

154.6MB
MD5

2083e38dc689c08455a74b5201f3ebb2
SHA1

b905d6d3ba73eba3b219ea6de7bb7e42de2605fb
SHA256

5a48729eeb6e105d5849faee5d4888841c02263622e2fdd5b66309186910d7a2
SHA512

6d16116a78aded98f26b44f6277e92f7f3296a752eef8247b3976f718e5b79144f353451687ebde16f6a559d868b25b46a2b9c84dc306c015507ae93efadc528
SSDEEP

1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
956	WorldWars.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
1872	cmd.exe
2432	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1768	tasklist.exe
1340	tasklist.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2496	powershell.exe
2496	powershell.exe
3112	powershell.exe
3112	powershell.exe
532	powershell.exe
532	powershell.exe
1384	WorldWars.exe
1384	WorldWars.exe
1108	WorldWars.exe
1108	WorldWars.exe
1108	WorldWars.exe
1108	WorldWars.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	tasklist.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1340	tasklist.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeShutdownPrivilege	956	WorldWars.exe
Token: SeCreatePagefilePrivilege	956	WorldWars.exe
Token: SeIncreaseQuotaPrivilege	2376	WMIC.exe
Token: SeSecurityPrivilege	2376	WMIC.exe
Token: SeTakeOwnershipPrivilege	2376	WMIC.exe
Token: SeLoadDriverPrivilege	2376	WMIC.exe
Token: SeSystemProfilePrivilege	2376	WMIC.exe
Token: SeSystemtimePrivilege	2376	WMIC.exe
Token: SeProfSingleProcessPrivilege	2376	WMIC.exe
Token: SeIncBasePriorityPrivilege	2376	WMIC.exe
Token: SeCreatePagefilePrivilege	2376	WMIC.exe
Token: SeBackupPrivilege	2376	WMIC.exe
Token: SeRestorePrivilege	2376	WMIC.exe
Token: SeShutdownPrivilege	2376	WMIC.exe
Token: SeDebugPrivilege	2376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2376	WMIC.exe
Token: SeRemoteShutdownPrivilege	2376	WMIC.exe
Token: SeUndockPrivilege	2376	WMIC.exe
Token: SeManageVolumePrivilege	2376	WMIC.exe
Token: 33	2376	WMIC.exe
Token: 34	2376	WMIC.exe
Token: 35	2376	WMIC.exe
Token: 36	2376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2376	WMIC.exe
Token: SeSecurityPrivilege	2376	WMIC.exe
Token: SeTakeOwnershipPrivilege	2376	WMIC.exe
Token: SeLoadDriverPrivilege	2376	WMIC.exe
Token: SeSystemProfilePrivilege	2376	WMIC.exe
Token: SeSystemtimePrivilege	2376	WMIC.exe
Token: SeProfSingleProcessPrivilege	2376	WMIC.exe
Token: SeIncBasePriorityPrivilege	2376	WMIC.exe
Token: SeCreatePagefilePrivilege	2376	WMIC.exe
Token: SeBackupPrivilege	2376	WMIC.exe
Token: SeRestorePrivilege	2376	WMIC.exe
Token: SeShutdownPrivilege	2376	WMIC.exe
Token: SeDebugPrivilege	2376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2376	WMIC.exe
Token: SeRemoteShutdownPrivilege	2376	WMIC.exe
Token: SeUndockPrivilege	2376	WMIC.exe
Token: SeManageVolumePrivilege	2376	WMIC.exe
Token: 33	2376	WMIC.exe
Token: 34	2376	WMIC.exe
Token: 35	2376	WMIC.exe
Token: 36	2376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3312	956	WorldWars.exe	84
PID 956 wrote to memory of 3312	956	WorldWars.exe	84
PID 956 wrote to memory of 2000	956	WorldWars.exe	86
PID 956 wrote to memory of 2000	956	WorldWars.exe	86
PID 3312 wrote to memory of 2496	3312	cmd.exe	88
PID 3312 wrote to memory of 2496	3312	cmd.exe	88
PID 2000 wrote to memory of 1768	2000	cmd.exe	89
PID 2000 wrote to memory of 1768	2000	cmd.exe	89
PID 956 wrote to memory of 1840	956	WorldWars.exe	91
PID 956 wrote to memory of 1840	956	WorldWars.exe	91
PID 956 wrote to memory of 1872	956	WorldWars.exe	93
PID 956 wrote to memory of 1872	956	WorldWars.exe	93
PID 1840 wrote to memory of 1340	1840	cmd.exe	95
PID 1840 wrote to memory of 1340	1840	cmd.exe	95
PID 1872 wrote to memory of 3112	1872	cmd.exe	96
PID 1872 wrote to memory of 3112	1872	cmd.exe	96
PID 956 wrote to memory of 2432	956	WorldWars.exe	97
PID 956 wrote to memory of 2432	956	WorldWars.exe	97
PID 2432 wrote to memory of 532	2432	cmd.exe	99
PID 2432 wrote to memory of 532	2432	cmd.exe	99
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 4700	956	WorldWars.exe	100
PID 956 wrote to memory of 1668	956	WorldWars.exe	101
PID 956 wrote to memory of 1668	956	WorldWars.exe	101
PID 956 wrote to memory of 1384	956	WorldWars.exe	102
PID 956 wrote to memory of 1384	956	WorldWars.exe	102
PID 1668 wrote to memory of 2376	1668	cmd.exe	104
PID 1668 wrote to memory of 2376	1668	cmd.exe	104
PID 956 wrote to memory of 4132	956	WorldWars.exe	105
PID 956 wrote to memory of 4132	956	WorldWars.exe	105
PID 4132 wrote to memory of 2804	4132	cmd.exe	107
PID 4132 wrote to memory of 2804	4132	cmd.exe	107
PID 956 wrote to memory of 2728	956	WorldWars.exe	108
PID 956 wrote to memory of 2728	956	WorldWars.exe	108
PID 2728 wrote to memory of 2368	2728	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
"C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,78,225,238,81,242,54,93,114,41,201,135,233,255,51,75,238,124,114,206,112,243,167,94,224,197,29,56,62,200,31,128,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,40,81,43,68,9,153,70,109,187,36,190,193,130,199,26,127,136,124,228,38,75,140,243,89,30,61,103,46,86,143,248,114,48,0,0,0,74,114,75,149,196,38,186,148,133,105,94,129,195,110,235,68,200,129,136,10,22,240,206,253,218,83,18,90,16,39,9,59,49,59,29,171,216,54,192,146,21,178,227,71,99,75,94,246,64,0,0,0,180,88,177,47,121,123,242,119,228,145,146,122,99,155,71,54,241,51,242,143,81,213,228,170,129,248,243,66,58,36,75,175,250,106,42,226,225,210,105,192,4,197,208,8,192,1,143,181,94,58,123,195,86,100,93,247,64,252,117,239,146,183,104,157), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,78,225,238,81,242,54,93,114,41,201,135,233,255,51,75,238,124,114,206,112,243,167,94,224,197,29,56,62,200,31,128,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,40,81,43,68,9,153,70,109,187,36,190,193,130,199,26,127,136,124,228,38,75,140,243,89,30,61,103,46,86,143,248,114,48,0,0,0,74,114,75,149,196,38,186,148,133,105,94,129,195,110,235,68,200,129,136,10,22,240,206,253,218,83,18,90,16,39,9,59,49,59,29,171,216,54,192,146,21,178,227,71,99,75,94,246,64,0,0,0,180,88,177,47,121,123,242,119,228,145,146,122,99,155,71,54,241,51,242,143,81,213,228,170,129,248,243,66,58,36,75,175,250,106,42,226,225,210,105,192,4,197,208,8,192,1,143,181,94,58,123,195,86,100,93,247,64,252,117,239,146,183,104,157), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,20,29,26,98,64,44,226,214,150,140,5,93,9,205,157,159,142,9,7,42,55,240,110,187,23,162,197,9,239,20,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,187,82,227,91,150,150,10,73,155,252,195,239,145,62,190,145,28,48,233,205,131,115,209,185,225,150,206,173,252,73,23,0,48,0,0,0,55,32,18,46,197,59,107,47,89,116,117,185,66,233,212,221,74,21,152,12,51,238,20,40,9,173,78,120,242,64,7,86,235,65,242,114,115,156,18,65,86,66,251,152,179,54,32,45,64,0,0,0,99,246,183,155,42,60,223,219,232,128,240,225,213,68,124,100,113,0,228,185,135,178,112,127,159,177,22,200,242,183,134,29,223,162,60,116,168,153,158,193,120,62,40,23,107,206,25,85,46,230,94,142,143,13,74,105,180,61,20,0,122,6,4,110), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,20,29,26,98,64,44,226,214,150,140,5,93,9,205,157,159,142,9,7,42,55,240,110,187,23,162,197,9,239,20,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,187,82,227,91,150,150,10,73,155,252,195,239,145,62,190,145,28,48,233,205,131,115,209,185,225,150,206,173,252,73,23,0,48,0,0,0,55,32,18,46,197,59,107,47,89,116,117,185,66,233,212,221,74,21,152,12,51,238,20,40,9,173,78,120,242,64,7,86,235,65,242,114,115,156,18,65,86,66,251,152,179,54,32,45,64,0,0,0,99,246,183,155,42,60,223,219,232,128,240,225,213,68,124,100,113,0,228,185,135,178,112,127,159,177,22,200,242,183,134,29,223,162,60,116,168,153,158,193,120,62,40,23,107,206,25,85,46,230,94,142,143,13,74,105,180,61,20,0,122,6,4,110), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1904,i,11845670251919337182,3764038042098715136,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --mojo-platform-channel-handle=1316 --field-trial-handle=1904,i,11845670251919337182,3764038042098715136,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get ProcessorId
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get Product
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"
  2⤵
  PID:4496
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get SerialNumber
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
  2⤵
  PID:1124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption
    3⤵
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"
  2⤵
  PID:5092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get TotalPhysicalMemory
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"
  2⤵
  PID:2236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_videocontroller get caption,PNPDeviceID
    3⤵
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"
  2⤵
  PID:2520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get SerialNumber
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:3460
- C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1416 --field-trial-handle=1904,i,11845670251919337182,3764038042098715136,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e26941f21dac5843c6d170e536afccb

SHA1
26b9ebd7bf3ed13bc51874ba06151850a0dac7db

SHA256
316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

SHA512
9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ddc214e-3e49-4de9-b9ac-117115e99b2f.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passwords.txt

Filesize
14B

MD5
b4b41665eb819824e886204a28cc610b

SHA1
e778edb6f635f665c0b512748b8fec6a2a23a88b

SHA256
635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

SHA512
37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vnlgns1.5i1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1108-86-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-87-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-88-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-92-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-93-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-98-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-97-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-96-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-95-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/1108-94-0x000002DA1FC00000-0x000002DA1FC01000-memory.dmp

Filesize
4KB

Download
memory/2496-5-0x0000015A35020000-0x0000015A35042000-memory.dmp

Filesize
136KB

Download
memory/3112-30-0x0000021A66920000-0x0000021A66970000-memory.dmp

Filesize
320KB

Download