Malware Analysis Report

2025-03-15 06:31

Sample ID 240123-dmyp7afhg2
Target bac1beef11c340ae6632b50d2ce1fb80.bin
SHA256 9865e960e55907838a0e658e14ef1c70e91583cbe80da963f874df74022eb2bd
Tags
warzonerat infostealer rat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9865e960e55907838a0e658e14ef1c70e91583cbe80da963f874df74022eb2bd

Threat Level: Known bad

The file bac1beef11c340ae6632b50d2ce1fb80.bin was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat persistence

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 03:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 03:08

Reported

2024-01-23 03:10

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 1996 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2820 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WerFault.exe
PID 2820 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WerFault.exe
PID 2820 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WerFault.exe
PID 2820 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe

"C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tstbRYA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tstbRYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E71.tmp"

C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe

"C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 200

Network

N/A

Files

memory/1996-0-0x0000000001250000-0x00000000012DC000-memory.dmp

memory/1996-1-0x0000000074960000-0x000000007504E000-memory.dmp

memory/1996-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/1996-3-0x0000000000B80000-0x0000000000BA0000-memory.dmp

memory/1996-4-0x0000000000390000-0x000000000039A000-memory.dmp

memory/1996-5-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

memory/1996-6-0x00000000057C0000-0x000000000581C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9E71.tmp

MD5 bea70f9b08543e55c17f33de36a87c47
SHA1 83a3ee8790faea34ce4e52bfbf87fbcd2ec1efde
SHA256 6fc2e28a3dd37d9bb7e894fdcb4b4f74a5225f0dc86bafebdd28b5863fcbacf9
SHA512 1c4168cfaf3db21c0f839bf30758d707a94c46b323c9d1d2ce26a906775c5784c05b1606438b3bd78a7d86f94b2ebb27d189c17f37b27bd3c513983b771f432b

memory/2820-12-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-14-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-16-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2820-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2820-24-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1996-27-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2820-26-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2648-30-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2648-31-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2648-32-0x0000000002430000-0x0000000002470000-memory.dmp

memory/2648-33-0x0000000002430000-0x0000000002470000-memory.dmp

memory/2648-34-0x000000006EF80000-0x000000006F52B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 03:08

Reported

2024-01-23 03:10

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\ProgramData\images.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PO = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 2888 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
PID 4116 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\ProgramData\images.exe
PID 4116 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\ProgramData\images.exe
PID 4116 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1132 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1132 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1132 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3728 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 3760 wrote to memory of 3728 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 3760 wrote to memory of 3728 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 3760 wrote to memory of 1116 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1116 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1116 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3760 wrote to memory of 1632 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1632 wrote to memory of 3552 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3552 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3552 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1936 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1936 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1936 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1936 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1936 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe

"C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tstbRYA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tstbRYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF211.tmp"

C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe

"C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tstbRYA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tstbRYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4810.tmp"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 173.249.202.75:5200 tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 173.249.202.75:5200 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 173.249.202.75:5200 tcp
US 173.249.202.75:5200 tcp

Files

memory/2888-1-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/2888-0-0x0000000000D60000-0x0000000000DEC000-memory.dmp

memory/2888-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/2888-3-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/2888-4-0x0000000005870000-0x0000000005880000-memory.dmp

memory/2888-5-0x0000000005840000-0x000000000584A000-memory.dmp

memory/2888-6-0x0000000007190000-0x00000000071B0000-memory.dmp

memory/2888-7-0x0000000005A50000-0x0000000005A5A000-memory.dmp

memory/2888-8-0x0000000006C30000-0x0000000006C3E000-memory.dmp

memory/2888-9-0x000000000CA60000-0x000000000CABC000-memory.dmp

memory/2888-10-0x0000000010130000-0x00000000101CC000-memory.dmp

memory/868-15-0x0000000005010000-0x0000000005046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF211.tmp

MD5 4a513cc34e99b08fbca474db739c7fb5
SHA1 fc3c35919980e0f3befbce6c8143c170b7e55a8e
SHA256 84ef5ce60a5445a507253c18215eae9ef482d5b44de72b78e5d428b971816109
SHA512 1249e6f02cae4f065136e371786eda1a23c5344ecb9f63ef84a42d081d146b8553736f03b301ad7dcf2187d98b4ff7a63a972eb54c4e87b7d86d74ccd2368c73

memory/2888-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/868-18-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/868-19-0x0000000005130000-0x0000000005140000-memory.dmp

memory/868-20-0x0000000005130000-0x0000000005140000-memory.dmp

memory/2888-21-0x0000000005870000-0x0000000005880000-memory.dmp

memory/868-23-0x0000000005770000-0x0000000005D98000-memory.dmp

memory/4116-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4116-26-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4116-27-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2888-28-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/868-29-0x0000000005E20000-0x0000000005E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntaeustu.mkk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/868-30-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/868-36-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/868-41-0x00000000060A0000-0x00000000063F4000-memory.dmp

memory/868-42-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/868-43-0x0000000006610000-0x000000000665C000-memory.dmp

memory/4116-48-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\images.exe

MD5 4a5f0e6918cd5cc59a6ebd46287d2f1f
SHA1 063c634c239c16bb3c1544b5c699f125a9c8a073
SHA256 c09d26f99d415ae75a08f7a4f9ece34ef9b50a9b855fc75c5fb7170fa9690bb1
SHA512 5eb1653a4b375711fcbbe936c55ae29ae4e3c43ae0b078a49fdff451dd2ca04a45e9936926846b2e5024764c53ef6e7e21450088aca007cdb0df597d83554c07

memory/3760-49-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/868-50-0x0000000005130000-0x0000000005140000-memory.dmp

C:\ProgramData\images.exe

MD5 c13c22ff9ee9482229aa352be27c5871
SHA1 6b018c338372d7a4cfa38c87f2704094fa77383d
SHA256 c5439d2cfd60078e15886cb69ab2fd11edff4ea0866f1c84d58cc14262fea890
SHA512 a94e9766cd58737db961e61bcdcedbf3b45c5eed2e849a03da66e6838d866af88961f65346660483583784760e84ac2ef0a61d93301c019fd8f4b48cfdb621c6

C:\ProgramData\images.exe

MD5 a057c9836cbeb61ad633d50a004a2ae2
SHA1 dd53d87b0250350172d4ba0627672d65187b4fc4
SHA256 3771eac470685b323e64c4ffba4c9d81216efe2d173e7a792616f7da021df8e8
SHA512 cffeac0ae4047afff66c8aea6b55c37abfdcf013a05a96287b08f83b09b708696e4898413cb8c2905fe4a209e744aa6bbbde2723b660f4803e419801141ef857

memory/3760-51-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/1044-52-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1044-53-0x0000000002620000-0x0000000002630000-memory.dmp

memory/868-59-0x0000000006BB0000-0x0000000006BE2000-memory.dmp

memory/868-64-0x0000000070FE0000-0x000000007102C000-memory.dmp

memory/868-74-0x0000000006B90000-0x0000000006BAE000-memory.dmp

memory/868-75-0x00000000077A0000-0x0000000007843000-memory.dmp

memory/868-76-0x0000000007F20000-0x000000000859A000-memory.dmp

memory/868-77-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/868-78-0x0000000007950000-0x000000000795A000-memory.dmp

memory/868-79-0x0000000007B60000-0x0000000007BF6000-memory.dmp

memory/868-80-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/1044-81-0x0000000002620000-0x0000000002630000-memory.dmp

memory/1044-82-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

memory/1044-83-0x0000000070FE0000-0x000000007102C000-memory.dmp

memory/868-93-0x0000000007B10000-0x0000000007B1E000-memory.dmp

memory/868-94-0x0000000007B20000-0x0000000007B34000-memory.dmp

memory/868-95-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/868-96-0x0000000007C00000-0x0000000007C08000-memory.dmp

memory/868-99-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 578db4856977a132b7cddaaf6192b6e9
SHA1 bcc4d470a16085c4f350318b2e47414040010180
SHA256 efb9471b297a8a06038987edaeb9b9805371df29645082e045795bec9df8f58f
SHA512 cae96b407133df05a8f9cb780b522b4ee0c528898605508d71446160a6391ba7989441e36419d9735a3e45908a13222eb0da0dde112def3df45a84c099f0becd

memory/1044-103-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3760-104-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3760-105-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/1132-109-0x0000000002740000-0x0000000002750000-memory.dmp

memory/1132-107-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\ProgramData\images.exe

MD5 bac1beef11c340ae6632b50d2ce1fb80
SHA1 eed74625db691bb0d498afec7b5b376e83bf5ff1
SHA256 13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
SHA512 1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6

memory/1132-112-0x0000000005A00000-0x0000000005D54000-memory.dmp

memory/1632-116-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3760-127-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1632-126-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1132-129-0x0000000006610000-0x000000000665C000-memory.dmp

memory/1132-130-0x0000000002740000-0x0000000002750000-memory.dmp

memory/1132-131-0x0000000075500000-0x000000007554C000-memory.dmp

memory/1132-141-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/1132-142-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/1132-143-0x0000000007620000-0x0000000007634000-memory.dmp

memory/3552-145-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e527ffb25afc4617ab2176e0de6dd3f
SHA1 70d373f10a9eba0ef64c4e08e2e898d77db2b5f7
SHA256 4f9a771b740ebed0491a93b0825bcca17336b0015dbfff9e258de8b526058e03
SHA512 3b84c0f0015e90390d666ab431bd50ee4a4484fb0110b711e418d2260f64cbf7eb6a428916ef6e48a912412b3aed5ef2b12fb9431fd47acb7de49538040f9a91

memory/1936-160-0x0000000000FF0000-0x0000000000FF1000-memory.dmp