File name:

Gameplay tool_3_2_5_Jenkey1002.rar

Full analysis: https://app.any.run/tasks/92d87e48-ab25-4cd4-a676-901284702ccf
Verdict: Malicious activity
Analysis date: August 24, 2024, 19:06:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

84C22692C9FB948B7F14E3A173DF4051

SHA1:

0A6EE31A234E6952398B773536E5B9DE48FC1058

SHA256:

50DFC4B46BA73B44A3D05B145AEEB4BEE466E9464A279267BEBB1B2D6D0ECAF1

SSDEEP:

98304:NzQzKGXUMZ2ReHh5e17GpDl1Kr3jL+2i+VK+LA0Omix8FA0dhnHMUhJpdh3zvauC:sjU9sfO9edvyLgw5GXgCgo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6772)

    • Probably uses Microsoft diagnostics tool to execute malicious payload

      • pcwrun.exe (PID: 6528)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 5900)
      • csc.exe (PID: 4064)
      • csc.exe (PID: 208)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 5900)
      • csc.exe (PID: 4064)
      • csc.exe (PID: 208)

    • Gets file extension (POWERSHELL)

      • sdiagnhost.exe (PID: 6352)

    • Converts a string into array of characters (POWERSHELL)

      • sdiagnhost.exe (PID: 6352)

    • Uses RUNDLL32.EXE to load library

      • msdt.exe (PID: 6520)

  • INFO

    • Checks supported languages

      • Gameplay config.exe (PID: 7104)
      • Gameplay config.exe (PID: 2868)
      • Gameplay config.exe (PID: 2580)
      • Gameplay config.exe (PID: 4288)
      • Gameplay config.exe (PID: 1044)
      • csc.exe (PID: 5900)
      • csc.exe (PID: 4064)
      • cvtres.exe (PID: 4308)
      • cvtres.exe (PID: 1432)
      • csc.exe (PID: 208)
      • cvtres.exe (PID: 1108)
      • Gameplay config.exe (PID: 6668)
      • config.exe (PID: 3412)
      • config.exe (PID: 232)
      • manager.exe (PID: 2252)

    • Manual execution by a user

      • Gameplay config.exe (PID: 7104)
      • Gameplay config.exe (PID: 2580)
      • Taskmgr.exe (PID: 6580)
      • Gameplay config.exe (PID: 4288)
      • Gameplay config.exe (PID: 1044)
      • pcwrun.exe (PID: 6528)
      • config.exe (PID: 3412)
      • config.exe (PID: 232)
      • Taskmgr.exe (PID: 3032)
      • manager.exe (PID: 2252)
      • Gameplay config.exe (PID: 2868)

    • Reads mouse settings

      • Gameplay config.exe (PID: 2868)
      • Gameplay config.exe (PID: 7104)
      • Gameplay config.exe (PID: 2580)
      • Gameplay config.exe (PID: 4288)
      • Gameplay config.exe (PID: 1044)
      • Gameplay config.exe (PID: 6668)

    • Reads the computer name

      • Gameplay config.exe (PID: 2868)
      • Gameplay config.exe (PID: 2580)
      • Gameplay config.exe (PID: 7104)
      • Gameplay config.exe (PID: 4288)
      • Gameplay config.exe (PID: 1044)
      • Gameplay config.exe (PID: 6668)
      • config.exe (PID: 3412)
      • config.exe (PID: 232)
      • manager.exe (PID: 2252)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6772)

    • Create files in a temporary directory

      • pcwrun.exe (PID: 6528)
      • msdt.exe (PID: 6520)
      • sdiagnhost.exe (PID: 6352)
      • csc.exe (PID: 5900)
      • csc.exe (PID: 4064)
      • cvtres.exe (PID: 4308)
      • cvtres.exe (PID: 1432)
      • csc.exe (PID: 208)
      • cvtres.exe (PID: 1108)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5900)
      • csc.exe (PID: 4064)
      • csc.exe (PID: 208)

    • Reads the software policy settings

      • msdt.exe (PID: 6520)
      • sdiagnhost.exe (PID: 6352)

    • Reads security settings of Internet Explorer

      • msdt.exe (PID: 6520)
      • sdiagnhost.exe (PID: 6352)
      • rundll32.exe (PID: 3684)
      • Taskmgr.exe (PID: 6580)

    • Checks proxy server information

      • sdiagnhost.exe (PID: 6352)

    • Uses string replace method (POWERSHELL)

      • sdiagnhost.exe (PID: 6352)

    • Uses string split method (POWERSHELL)

      • sdiagnhost.exe (PID: 6352)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 6520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 57672
UncompressedSize: 142336
OperatingSystem: Win32
ModifyDate: 2013:02:03 10:55:16
PackingMethod: Normal
ArchivedFileName: Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\afs2fs.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
24
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs gameplay config.exe no specs gameplay config.exe no specs taskmgr.exe no specs taskmgr.exe manager.exe no specs gameplay config.exe no specs gameplay config.exe no specs gameplay config.exe pcwrun.exe no specs msdt.exe no specs sdiagnhost.exe conhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs gameplay config.exe config.exe no specs config.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\gmex45am.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
232"C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\config.exe" C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\config.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
KitServer 13 Configuration Tool
Exit code:
0
Version:
13.0.0.0
Modules
Images
c:\users\admin\desktop\gameplay tool_3_2_5_jenkey1002\gameplay tool\config.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1044"C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\Gameplay config.exe" C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\Gameplay config.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Gameplay tool configuration
Exit code:
0
Version:
3.2.4.0
Modules
Images
c:\users\admin\desktop\gameplay tool_3_2_5_jenkey1002\gameplay tool\gameplay config.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES393.tmp" "c:\Users\admin\AppData\Local\Temp\CSC57A228801AF54DF88A21099B187E2.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
1432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES77.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE7F4FE1E30C24FF68AB36424F2B726BB.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
2252"C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\manager.exe" C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\manager.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Kitserver 13 EXE Manager
Exit code:
0
Version:
13.3.0.0
Modules
Images
c:\users\admin\desktop\gameplay tool_3_2_5_jenkey1002\gameplay tool\manager.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2580"C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\Gameplay config.exe" C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\Gameplay config.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gameplay tool configuration
Exit code:
0
Version:
3.2.4.0
Modules
Images
c:\users\admin\desktop\gameplay tool_3_2_5_jenkey1002\gameplay tool\gameplay config.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\wsock32.dll
2868"C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\Gameplay config.exe" C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\Gameplay config.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gameplay tool configuration
Exit code:
0
Version:
3.2.4.0
Modules
Images
c:\users\admin\desktop\gameplay tool_3_2_5_jenkey1002\gameplay tool\gameplay config.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
3032"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
3412"C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\config.exe" C:\Users\admin\Desktop\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\config.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
KitServer 13 Configuration Tool
Exit code:
0
Version:
13.0.0.0
Modules
Images
c:\users\admin\desktop\gameplay tool_3_2_5_jenkey1002\gameplay tool\config.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
21 355
Read events
21 302
Write events
51
Delete events
2

Modification events

(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Gameplay tool_3_2_5_Jenkey1002.rar
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6772) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6580) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(6580) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AAC14FF77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAC14FF77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAC14FF77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAC14FF77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABC14FF77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABC14FF77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABC14FF77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAC14FF77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABC14FF77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABC14FF77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABC14FF77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABC14FF77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABC14FF77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACC14FF77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAC14FF77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAC14FF77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACC14FF77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACC14FF77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACC14FF77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACC14FF77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACC14FF77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACC14FF77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABC14FF77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAC14FF77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADC14FF77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADC14FF77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADC14FF77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABC14FF77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAC14FF77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABC14FF77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABC14FF77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABC14FF77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABC14FF77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAC14FF77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEC14FF77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEC14FF77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEC14FF77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
Executable files
28
Suspicious files
18
Text files
189
Unknown types
2

Dropped files

PID
Process
Filename
Type
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\afsio.dllexecutable
MD5:17EAADE1837ECF1940D8E8B7111085E9
SHA256:602D4F25FBB1AD07CF3BEE0F5FC312092592CCB2462EC016C3977BF46658FE07
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\chantserv.dllexecutable
MD5:4F672D0B1A7FB946887261DAB6957223
SHA256:DC1E15FDA8027F85005629F7812DC6F2C16104DAB57699F87D0AE24A7D06F16D
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\afs2fs.dllexecutable
MD5:0E0F8051D2DD4D8D7B2AE55B1F442EFC
SHA256:6C7CC8A10E6DD02D63763E144863D49C1E4DCBBFD885FD12EEF390DC8CF4A6F8
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\history.txttext
MD5:FFFC12F73461A944332E21CE75C9FABC
SHA256:FF40539AC841D4B69449353DB05AA2E54E309344790AA61875636752B9A043AD
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\afs2fs.pngimage
MD5:3B53F4758C23CF87E54DB35154F91922
SHA256:E925946170E93F63F79B72A6D8D04BAD5F96C61B8FC2A82F273CB4E0EBD20D8D
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\config1.pngimage
MD5:12E5A74979E614C93A0718809F397446
SHA256:66C2DAD229A5F15CE827492EEA8EC01E8FC53C53F5BAE8531517F7C20A24BFD4
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\manual.htmlhtml
MD5:772743EF4A4A564876E136A3F758A587
SHA256:CFC3858DBA06193B7531ED4BB94EC2F99BD7161A4DF7CEA4B02C8DF772976AEC
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\license.txttext
MD5:1C2E62B232777A414124F0C09C12EDB2
SHA256:25AAE4E554E8A0ACB405C85D8BD35829DD95664A862F535D1AE15082DA2C2CF8
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\manual_files\colorschememapping.xmlxml
MD5:6B7A472A22FBDBFF4B2B08DDB4F43735
SHA256:65F3CDBC4390C81B94FA960B7362917443FC1E6A51E3F81E4CB4C4DFA09DA4BE
6772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6772.18474\Gameplay tool_3_2_5_Jenkey1002\Gameplay tool\docs\manager.pngimage
MD5:8863F77A8B5291534A926FC4F9A5F728
SHA256:26079D126680286A742914E2FFEEBBADCD9D1D985972D37B9CA805BC0B67D345
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
42
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5044
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6628
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3308
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1172
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3308
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5044
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5044
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.23
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.170
  • 104.126.37.153
  • 104.126.37.176
  • 104.126.37.161
  • 104.126.37.178
  • 104.126.37.130
  • 104.126.37.186
whitelisted
th.bing.com
  • 104.126.37.161
  • 104.126.37.177
  • 104.126.37.179
  • 104.126.37.153
  • 104.126.37.145
  • 104.126.37.160
  • 104.126.37.154
  • 104.126.37.176
  • 104.126.37.170
whitelisted
r.bing.com
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.161
whitelisted
browser.pipe.aria.microsoft.com
  • 13.89.179.14
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted

Threats

No threats detected
Process
Message
Gameplay config.exe
FTH: (6668): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Gameplay tool_3_2_5_Jenkey1002.rar