Overview
overview
7Static
static
3WorldWars.exe
windows10-1703-x64
7$PLUGINSDI...er.dll
windows10-1703-x64
1$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3$PLUGINSDIR/app-64.7z
windows10-1703-x64
3LICENSES.c...m.html
windows10-1703-x64
4WorldWars.exe
windows10-1703-x64
7chrome_100...nt.pak
windows10-1703-x64
3chrome_200...nt.pak
windows10-1703-x64
3d3dcompiler_47.dll
windows10-1703-x64
1ffmpeg.dll
windows10-1703-x64
1icudtl.dat
windows10-1703-x64
3libEGL.dll
windows10-1703-x64
1libGLESv2.dll
windows10-1703-x64
1locales/af.ps1
windows10-1703-x64
3locales/en-US.pak
windows10-1703-x64
3locales/uk.ps1
windows10-1703-x64
3resources.pak
windows10-1703-x64
3resources/app.asar
windows10-1703-x64
3resources/elevate.exe
windows10-1703-x64
1snapshot_blob.bin
windows10-1703-x64
3v8_context...ot.bin
windows10-1703-x64
3vk_swiftshader.dll
windows10-1703-x64
1vulkan-1.dll
windows10-1703-x64
1$PLUGINSDI...ec.dll
windows10-1703-x64
3$PLUGINSDI...7z.dll
windows10-1703-x64
3$R0/Uninst...rs.exe
windows10-1703-x64
7$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3$PLUGINSDI...ec.dll
windows10-1703-x64
3Resubmissions
16/07/2024, 12:36
240716-ps1mhswamh 716/07/2024, 01:37
240716-b2cedsyhjn 716/07/2024, 00:50
240716-a64h1azfkb 8Analysis
-
max time kernel
1801s -
max time network
1598s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
16/07/2024, 12:36
Static task
static1
Behavioral task
behavioral1
Sample
WorldWars.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/app-64.7z
Resource
win10-20240611-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
WorldWars.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
chrome_100_percent.pak
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
chrome_200_percent.pak
Resource
win10-20240611-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
icudtl.dat
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
libGLESv2.dll
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
locales/af.ps1
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
locales/en-US.pak
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
locales/uk.ps1
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
resources.pak
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
resources/app.asar
Resource
win10-20240404-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
snapshot_blob.bin
Resource
win10-20240404-en
Behavioral task
behavioral23
Sample
v8_context_snapshot.bin
Resource
win10-20240404-en
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win10-20240404-en
Behavioral task
behavioral25
Sample
vulkan-1.dll
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240404-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240404-en
Behavioral task
behavioral28
Sample
$R0/Uninstall WorldWars.exe
Resource
win10-20240404-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240611-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240404-en
General
-
Target
WorldWars.exe
-
Size
154.6MB
-
MD5
2083e38dc689c08455a74b5201f3ebb2
-
SHA1
b905d6d3ba73eba3b219ea6de7bb7e42de2605fb
-
SHA256
5a48729eeb6e105d5849faee5d4888841c02263622e2fdd5b66309186910d7a2
-
SHA512
6d16116a78aded98f26b44f6277e92f7f3296a752eef8247b3976f718e5b79144f353451687ebde16f6a559d868b25b46a2b9c84dc306c015507ae93efadc528
-
SSDEEP
1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4164 WorldWars.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 3992 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4580 tasklist.exe 1604 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 3824 powershell.exe 3824 powershell.exe 3824 powershell.exe 4200 WorldWars.exe 4200 WorldWars.exe 4928 WorldWars.exe 4928 WorldWars.exe 4928 WorldWars.exe 4928 WorldWars.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4580 tasklist.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 1604 tasklist.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeShutdownPrivilege 4164 WorldWars.exe Token: SeCreatePagefilePrivilege 4164 WorldWars.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe Token: SeIncreaseQuotaPrivilege 4576 WMIC.exe Token: SeSecurityPrivilege 4576 WMIC.exe Token: SeTakeOwnershipPrivilege 4576 WMIC.exe Token: SeLoadDriverPrivilege 4576 WMIC.exe Token: SeSystemProfilePrivilege 4576 WMIC.exe Token: SeSystemtimePrivilege 4576 WMIC.exe Token: SeProfSingleProcessPrivilege 4576 WMIC.exe Token: SeIncBasePriorityPrivilege 4576 WMIC.exe Token: SeCreatePagefilePrivilege 4576 WMIC.exe Token: SeBackupPrivilege 4576 WMIC.exe Token: SeRestorePrivilege 4576 WMIC.exe Token: SeShutdownPrivilege 4576 WMIC.exe Token: SeDebugPrivilege 4576 WMIC.exe Token: SeSystemEnvironmentPrivilege 4576 WMIC.exe Token: SeRemoteShutdownPrivilege 4576 WMIC.exe Token: SeUndockPrivilege 4576 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4164 wrote to memory of 2500 4164 WorldWars.exe 73 PID 4164 wrote to memory of 2500 4164 WorldWars.exe 73 PID 4164 wrote to memory of 2836 4164 WorldWars.exe 74 PID 4164 wrote to memory of 2836 4164 WorldWars.exe 74 PID 2500 wrote to memory of 2228 2500 cmd.exe 77 PID 2500 wrote to memory of 2228 2500 cmd.exe 77 PID 2836 wrote to memory of 4580 2836 cmd.exe 78 PID 2836 wrote to memory of 4580 2836 cmd.exe 78 PID 4164 wrote to memory of 1444 4164 WorldWars.exe 80 PID 4164 wrote to memory of 1444 4164 WorldWars.exe 80 PID 4164 wrote to memory of 3992 4164 WorldWars.exe 81 PID 4164 wrote to memory of 3992 4164 WorldWars.exe 81 PID 3992 wrote to memory of 3824 3992 cmd.exe 84 PID 3992 wrote to memory of 3824 3992 cmd.exe 84 PID 1444 wrote to memory of 1604 1444 cmd.exe 85 PID 1444 wrote to memory of 1604 1444 cmd.exe 85 PID 4164 wrote to memory of 2120 4164 WorldWars.exe 86 PID 4164 wrote to memory of 2120 4164 WorldWars.exe 86 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4972 4164 WorldWars.exe 88 PID 4164 wrote to memory of 4200 4164 WorldWars.exe 89 PID 4164 wrote to memory of 4200 4164 WorldWars.exe 89 PID 2120 wrote to memory of 4604 2120 cmd.exe 90 PID 2120 wrote to memory of 4604 2120 cmd.exe 90 PID 4164 wrote to memory of 4916 4164 WorldWars.exe 91 PID 4164 wrote to memory of 4916 4164 WorldWars.exe 91 PID 4916 wrote to memory of 4576 4916 cmd.exe 93 PID 4916 wrote to memory of 4576 4916 cmd.exe 93 PID 4164 wrote to memory of 3804 4164 WorldWars.exe 94 PID 4164 wrote to memory of 3804 4164 WorldWars.exe 94 PID 3804 wrote to memory of 2532 3804 cmd.exe 96 PID 3804 wrote to memory of 2532 3804 cmd.exe 96 PID 4164 wrote to memory of 760 4164 WorldWars.exe 97 PID 4164 wrote to memory of 760 4164 WorldWars.exe 97 PID 760 wrote to memory of 932 760 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,228,173,236,142,239,113,195,75,140,113,18,38,91,244,218,123,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,129,175,135,137,185,122,77,189,62,225,253,172,49,176,39,145,226,85,134,62,188,107,177,176,62,170,133,52,43,26,154,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,228,95,112,198,161,112,115,223,80,16,27,225,178,137,144,253,199,132,5,44,234,91,70,221,134,160,202,96,25,132,25,103,48,0,0,0,121,154,6,88,102,246,48,57,103,179,211,145,8,41,212,106,223,226,139,239,64,117,157,14,32,8,120,144,61,41,221,76,103,54,215,48,236,252,72,145,132,62,174,200,105,234,37,197,64,0,0,0,40,230,37,237,32,116,71,253,91,223,25,180,29,81,3,119,31,171,175,42,137,247,20,242,139,67,213,206,8,12,224,33,136,111,86,248,76,24,8,69,11,106,124,80,119,147,64,147,218,108,250,75,125,139,6,105,1,28,134,6,76,60,43,69), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,228,173,236,142,239,113,195,75,140,113,18,38,91,244,218,123,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,129,175,135,137,185,122,77,189,62,225,253,172,49,176,39,145,226,85,134,62,188,107,177,176,62,170,133,52,43,26,154,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,228,95,112,198,161,112,115,223,80,16,27,225,178,137,144,253,199,132,5,44,234,91,70,221,134,160,202,96,25,132,25,103,48,0,0,0,121,154,6,88,102,246,48,57,103,179,211,145,8,41,212,106,223,226,139,239,64,117,157,14,32,8,120,144,61,41,221,76,103,54,215,48,236,252,72,145,132,62,174,200,105,234,37,197,64,0,0,0,40,230,37,237,32,116,71,253,91,223,25,180,29,81,3,119,31,171,175,42,137,247,20,242,139,67,213,206,8,12,224,33,136,111,86,248,76,24,8,69,11,106,124,80,119,147,64,147,218,108,250,75,125,139,6,105,1,28,134,6,76,60,43,69), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
-
C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1832,i,9497895560325006605,7764077364719857167,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --mojo-platform-channel-handle=1296 --field-trial-handle=1832,i,9497895560325006605,7764077364719857167,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"2⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"2⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get Product3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"2⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get SerialNumber3⤵PID:932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"2⤵PID:4716
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"2⤵PID:1808
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get TotalPhysicalMemory3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"2⤵PID:1324
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption,PNPDeviceID3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"2⤵PID:2456
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:4440
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:2828
-
-
-
C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1832,i,9497895560325006605,7764077364719857167,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
Filesize
1KB
MD57c22e95712cefeaccd922518e510de20
SHA1957785f8103b63e63ec41e7e17b83590e5666067
SHA256d14ce415bc7aac5c5e0fc1a06f2388742cb6f07eb60e50f36e746ae15d2e486c
SHA5129a2bfdc8b5e852be882616e2f53ca00b821e8e51eff3bb1d2f37e49f9dcd4771d3373f49bcb1c201072796beb58140d22b1465e668490130b142c9cffdfa1d81
-
Filesize
14B
MD5b4b41665eb819824e886204a28cc610b
SHA1e778edb6f635f665c0b512748b8fec6a2a23a88b
SHA256635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6
SHA51237648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33