Resubmissions
31-10-2024 16:41
241031-t7k8lazkgs 1031-10-2024 16:25
241031-twydsa1gpn 1031-10-2024 16:05
241031-tjfyzasndj 10Analysis
-
max time kernel
279s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-10-2024 16:25
General
-
Target
https://github.com/ByterCode/GameHackLoader/raw/refs/heads/main/GameHackLoader.zip
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ByterCode/GameHackLoader/raw/refs/heads/main/GameHackLoader.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96a2446f8,0x7ff96a244708,0x7ff96a2447182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4704 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4123902078710586562,9408093113444608132,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"2⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\OcfrTK8JDARDlvaB1VtYtk.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\GRgVeTdXAWm7.bat" "5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpRunShellHost.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/MpRunShellHost.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2hryjqgz\2hryjqgz.cmdline"7⤵
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F51.tmp" "c:\Windows\System32\CSC794329FB5E304F3899DD47DAB9DEA8C.TMP"8⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\txxvc8dktP.bat"7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\All Users\msedge.exe"C:\Users\All Users\msedge.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Updates\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\es-ES\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MpRunShellHostM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpRunShellHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MpRunShellHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpRunShellHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MpRunShellHostM" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpRunShellHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"2⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\OcfrTK8JDARDlvaB1VtYtk.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\GRgVeTdXAWm7.bat" "5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpRunShellHost.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/MpRunShellHost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelper32.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\GameHack.yzz.me\GameHackLoader.exe"2⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\OcfrTK8JDARDlvaB1VtYtk.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\GRgVeTdXAWm7.bat" "5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpRunShellHost.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/MpRunShellHost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD523e95ec462ffa2c6ca8cab1cb8724ab1
SHA1ee3f5e815831cf925c4f00195cc8f336b6112862
SHA256c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c
SHA512b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
124KB
MD5dc5124d869d7ff7943ed200b49a64945
SHA1613a756d372f28f21bc0ecf3eadc1a0b59b598e5
SHA2568e81de540727f69a6f3b058f3e92ac3bc4c34b88929d61ca85622d05f7ee8eab
SHA51248c2c3fbd9bc18faaccf567fae18d699f2cd26e3d728c43adbf0f1cdc7c7abccfba74a82d5fbe44aa150fb940e4b3ddbc455c3c629950aa2adcd528bb6830846
-
Filesize
8KB
MD5f6923c5909ffa458e075b19656efaba8
SHA1356df10f2ddfc59c743807443398a33b45f69cbc
SHA256fdf939e915c176e2097864b6241cad7f83685ef1d71f26a7b01c10741ce82549
SHA5128fd7f1585a576317a0eaf587cd5b32e94b5c71525935af1e9587db034946d5a0405cb8e46477830d66c1dc9f86c29e7ec7cd952532af3bc434b48d5f8ab002af
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
5KB
MD5de272af76c5d7f258f20a5665c5cf27e
SHA1ef6419779fdc0861922ce33b0676f22dfef31dfd
SHA25605fc6b477b247aa6d66910ed510f5949ea8e054e4ea823fb833fa4dd0085fcbe
SHA512986741ee48d2d55ce3a4f615cca77634b63fa9a85e9ef9b437eede2f12918a0828b3546af40a2301d74ff376d3b7e49720a9ac8035ea6a3f11c5fd9ab9fa14a9
-
Filesize
6KB
MD522e69061e8855e635cead23b50adb515
SHA135694380c5a27c677bfb48f25e1487ff9f0a63fa
SHA2567dd842a880b0ceaa21147c4cdf0d3cd1a13a298837902f110a29cbe3b71f5b5a
SHA512e890a6621106c4ec903ad8b715eb7836ba9405e43c6ff5a0ef546e733759e0588aacb1532ecca0391ae5cb29242062fc5cb651c247b0a6c523606da2010fcbf2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52169d102c24d591a859f5a6a8c2de085
SHA1e21d75fb0e6d412d7db321f53c809dc8b81a93ef
SHA2566cf0554a98430384811d13bf3593a8a5ef7d1c6a67a6a38dce8829a78bdf3334
SHA512953f3c4df135bf5c38b6739264fcc3033b748c0fb65e48dddf6e0d5330d784e58a985a1ace9d022af19f731778d607793301d7e28dfd87aad12e661ff5523c3a
-
Filesize
12KB
MD5079a52e6a240e4c1aadcbd1f5016e905
SHA1ae39857ab0a501f7d91f7c2c3bf614323d71d464
SHA2561de747484283ccc87bff56a5c00fc41a1ab69d5d13c416c0fc91c0b7569e4915
SHA51253551b9d9590e120498e0252fe6a48451e0b6c006f17c419be721f3efdb404631e15d2a21c3e8eac387fce396a894b3798456bdd431e7e3270cfc0e55209810a
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
Filesize
1KB
MD5fdc239d6ba94b91a215560284c58203e
SHA1c12c4d2f6d34dab732601a368d14ad8b23fcf70c
SHA2563a90735f321da3379a86cb359a89a6b8d48dbe906d091734e054e531a665415d
SHA512287aaa805fdc56f085444cb528ba9c28e66b178594bd2112a315cd810fe46126e0d338c592919f879579534a18204b0c7e8481740e48dc2a678d3e5bbbd9a38b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
157B
MD5f7f2fadc6b6dada665461832ad4df4d1
SHA19568ae41d24c00f3c240ba093cec28402a25f2b4
SHA256da4591c0e8807d5050648287dbd7bf6c8f707a45f8cccd4eaf77b9f31b1d568c
SHA51241f63c2393dd7ebe5937c1e12cef6f292adc43b58e31b8dd44dbb109fefb1f9a2b68c1ac3689d584a8b2cbd41ce1c2bc80f3ab89dfca23a463b8e455ed2aed88
-
Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
73KB
MD52c42faa919d3575fd4665a829e67ddef
SHA1b4b654f1f7ed3711318d98a78a994180601d0e27
SHA256b190f3271277dcc7df3570554a6af6a8b3454845f5688c4ebd4ae409135fe8eb
SHA51292bc4fdfff1704c59a01b82f702d829170ee773b1c84c9d857b30c79bd90f8a2e97fee44c5dfee95b2003655c0a1eb7d873cecdb1d71a3a6cd595029158dc203
-
Filesize
1.8MB
MD54d5846a0ba4bdca9dbfd1da8be106560
SHA1fe8883e6df706f7b7673a30adf91bf11e7072189
SHA256f761f522ee2fe2e7087423f30ccd11075638ef84172ebbaafa215b9cddb8e641
SHA5128614d5511dca277a28734dcb3e71d23538ddbf9fe56f0cfd7d15270febd76c1a00ef07182042264e3b858152bac4982aaadc7f2c45359789c22259da6554c527
-
Filesize
99B
MD59f357e45b5c57e60f387556c09e596a8
SHA1783837c6b1bf2c1fe065ee74fee37c7b5945bc87
SHA2563febc2554bcd8b0bdcc23e2cd562f8ca677952409a1206416191ca51b638b639
SHA512960d43f979afba3761e12684010ff6333b4a66f161660d868437eca2d4bc0c7d71b19be8b439b62e3b401747f3c8f6641aaeb3f22ee63a0c1bbea2a290fb3254
-
Filesize
1.7MB
MD522fda3cd13ab01a3ca0536185dfba3ad
SHA1e9859dabf2ae6eeec8bc97ac98e8090002930fc7
SHA256d00b0fbb60bd18e879bb360ea3ffd3fb3a790004b08ae63e5271b93ba6c30656
SHA512abefdd42c9a09d3f9892ab27de76b03d4153487b8e37b51e489a6610cbf39b83a24420e49fd49600d0a547898fab69df00670c1fc97fa1b6d51bee08f1ed8a9c
-
Filesize
427KB
MD5a94844d2397d7f8eade44d49aec77604
SHA1c621ec440a0ac83e28d773fccbe0823d0ae9a524
SHA256724c1654485154722b9f0a62f3e715e7bf5cd6350b608f7625adaa1f7c7e0b18
SHA5125d4addee99a9658b27f4da8693109614f97ebd858716822068944b13de84bb1e0e261571d2d6c375d57c85d74f465bf79dcf43ebe27de875679305ace6c0b711
-
Filesize
213B
MD5033ff360bc76eab6f5244c3c72b5a482
SHA1c0263cfa047fdfec3bf5172c16936f58e0d988ba
SHA256b4bc4976e1f76f5dcace5a80c7a20e9e5b7e211d95953afc326bb6fe328b499e
SHA512ec85cff873f23983b7346ddf87cdb29bfae495e009a72b22986223600777f6dacf6e114652e39d19105d10a09b3c505e63138b288b7f91265bc77e6514c46d05
-
Filesize
2.4MB
MD5ba6c31647c5a5eccf9b535dd59e5069f
SHA1445cfd5725f22c286c6ab6b950559e240528e4dd
SHA256500160c555f21bc39acc78ab1379f5156cf89abf02d0f6b66cfc3d809ae98f5b
SHA512a1cf93a3732467eb41961567af8a9778e6cd72e1f5b1219c7a7e34b88e2fa31b04e7b4cb1fd89fc166b507b558c25a1d3511cf19b3fa901a7eeda87263bc93f2
-
Filesize
4KB
MD5f851901be91f2ab9a0261add54cf3024
SHA18a6d22aea5d855d307fb2a5c621fcb5a72ac5859
SHA25675bf6bcc579b39a71729844bab345fa85999fd9d7c429423b6bfd223d22b245e
SHA5129e253834412643dabac7bc0410cacccda5d6089cf4e9511f71c745bfa2766326d53ac1af5a11a7343386f5534c413bbe083b2f8766bdf13c02822fc117f8c639
-
Filesize
396B
MD5526a2065e5a7476b8d0b5a129e72d87a
SHA16cf8ace4ecfdf1bd22b9b2d1b4cdb0f7f6c322bb
SHA256bb67a2ba8071840d8541743e6cb0849c797f7d56666dc91f70ef5592ea29deca
SHA51249c8ef10bccc287200ca8e79bca9c0d0a441020a2549d9ad8e3b192e2760577c16f2e7f1eb6403c9c0e9cd7e3dcc5fe371926e2dc85c336fa4cae168693ebc22
-
Filesize
235B
MD5428129dc95981d6149645dc1620220f5
SHA181ce1e31cca9bb241128f33cadc4a8f0adf058b0
SHA256a26998b3f858e6ae3d05d28a37617c7bf55db73fe122495bc47decc127b3cacb
SHA5120db91846a37442b6a915f600f49c4d52163a8354c8ece39ca526120668638227ae67b4da5de828aa478fa9c4849e4dc7809ce8c91035254bb9f0c3e8d48dda9e
-
Filesize
1KB
MD5034b083b6729ade0b138a24cbdd66c6d
SHA1299c5a9dd91498cfc4226a5fe6d52ea633c2d148
SHA2568e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2
SHA51243f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
840KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
48KB