Malware Analysis Report

2025-03-15 06:30

Sample ID 240128-jmp1yaedc5
Target 7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
SHA256 7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c

Threat Level: Known bad

The file 7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 07:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 07:47

Reported

2024-01-28 07:49

Platform

win10v2004-20231222-en

Max time kernel

127s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\Bins.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Bins.exe N/A
N/A N/A C:\Users\Admin\Documents\Bins.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\Bins.exe" C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Bins.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1356 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 2964 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\Documents\Bins.exe
PID 2964 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\Documents\Bins.exe
PID 2964 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 1396 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4336 wrote to memory of 1396 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4336 wrote to memory of 1396 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4336 wrote to memory of 4820 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\schtasks.exe
PID 4336 wrote to memory of 4820 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\schtasks.exe
PID 4336 wrote to memory of 4820 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\schtasks.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4336 wrote to memory of 4800 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 4800 wrote to memory of 3712 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3712 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3712 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1804 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1804 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1804 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1804 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1804 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp"

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Users\Admin\Documents\Bins.exe

"C:\Users\Admin\Documents\Bins.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF211.tmp"

C:\Users\Admin\Documents\Bins.exe

"C:\Users\Admin\Documents\Bins.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 74.50.93.170:4040 tcp
US 74.50.93.170:4040 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 74.50.93.170:4040 tcp
US 74.50.93.170:4040 tcp

Files

memory/1356-0-0x0000000000C90000-0x0000000000D1C000-memory.dmp

memory/1356-1-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/1356-2-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/1356-3-0x0000000005710000-0x00000000057A2000-memory.dmp

memory/1356-4-0x0000000005910000-0x0000000005920000-memory.dmp

memory/1356-5-0x00000000057B0000-0x00000000057BA000-memory.dmp

memory/1356-6-0x00000000058E0000-0x00000000058F4000-memory.dmp

memory/1356-7-0x0000000005B10000-0x0000000005B1A000-memory.dmp

memory/1356-8-0x0000000005B20000-0x0000000005B2E000-memory.dmp

memory/1356-9-0x00000000069C0000-0x0000000006A22000-memory.dmp

memory/1356-10-0x00000000090F0000-0x000000000918C000-memory.dmp

memory/4840-15-0x0000000002DF0000-0x0000000002E26000-memory.dmp

memory/1356-16-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4840-17-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/4840-18-0x0000000074D60000-0x0000000075510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp

MD5 3715384c43cc348d40a6da3deee9cacb
SHA1 efb1d500950e50aac89a36d5352e3b3e4bb9d459
SHA256 f5bafa3c9b6938a503f2482bae44b31d48a2a030c66cbe910fbd02a71bb3e171
SHA512 0b2c63175d6b82d200f9008e08614d8ec83803814c5e2b4e0f392174fb05d372e212d36f252f2c5465a8ba5f42ae6f1ef13b2b62d7722a62a811da48f3104a9d

memory/4840-20-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/1356-22-0x0000000005910000-0x0000000005920000-memory.dmp

memory/4840-21-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/2964-23-0x0000000000400000-0x000000000055A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gl1ehsr5.2jo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4840-30-0x0000000005F80000-0x0000000005FA2000-memory.dmp

memory/1356-39-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4840-38-0x0000000006230000-0x0000000006296000-memory.dmp

memory/4840-33-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/2964-40-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2964-32-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4840-41-0x0000000006300000-0x0000000006654000-memory.dmp

memory/4840-43-0x0000000006740000-0x000000000678C000-memory.dmp

memory/4840-42-0x0000000006700000-0x000000000671E000-memory.dmp

memory/4840-58-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/4840-59-0x0000000007700000-0x00000000077A3000-memory.dmp

memory/4840-56-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/4840-57-0x00000000076E0000-0x00000000076FE000-memory.dmp

memory/4840-61-0x0000000007A20000-0x0000000007A3A000-memory.dmp

memory/4840-60-0x0000000008070000-0x00000000086EA000-memory.dmp

memory/4840-62-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

memory/4840-46-0x00000000755F0000-0x000000007563C000-memory.dmp

memory/4840-63-0x0000000007CA0000-0x0000000007D36000-memory.dmp

memory/4840-45-0x0000000006CE0000-0x0000000006D12000-memory.dmp

memory/4840-64-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/4840-44-0x000000007FCA0000-0x000000007FCB0000-memory.dmp

memory/4840-65-0x0000000007C50000-0x0000000007C5E000-memory.dmp

memory/4840-66-0x0000000007C60000-0x0000000007C74000-memory.dmp

memory/4848-69-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/4848-68-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/4840-79-0x0000000007D60000-0x0000000007D7A000-memory.dmp

memory/4848-67-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4840-80-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/4840-83-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4848-84-0x000000007F360000-0x000000007F370000-memory.dmp

memory/4848-85-0x00000000755F0000-0x000000007563C000-memory.dmp

memory/4848-96-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/4848-95-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1b4073b55d8750eb32ecc705efd0711d
SHA1 47cc101e4e5d7c180f98adce4795f397d1a593ef
SHA256 f40c878ffad3e8ba21243c3514cf13c50067cb1d9b6ba650101b5f9b7af9af90
SHA512 4e64fbd757d27dd7779efe8c544bcb52c6f9c0d85945defeaf2f3c20f8a7347552095f0b01dbc3cdd3213bb1cd8c11342f7e6646ae8b5eaf20c7616d2005f14b

memory/4848-100-0x0000000074D60000-0x0000000075510000-memory.dmp

C:\Users\Admin\Documents\Bins.exe

MD5 56e8402d0a1e55ebf85b38aab8fdcee1
SHA1 0114708fadf2499b4ab2a8b35899ba9516287bc6
SHA256 7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
SHA512 f888b3001768b46cd0dfa497f4dc063475371df14b899d025b230bf21c921ba00207a4a80e4243f05881b662be5b5ecd301f1b30ca62792a6885c370c0de1716

memory/2964-108-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4336-110-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/4336-109-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/1396-115-0x0000000002850000-0x0000000002860000-memory.dmp

C:\Users\Admin\Documents\Bins.exe

MD5 c2e3c74dd0281dabef41195925dcc5be
SHA1 3093ff72756f0d6774136a8ec5bef33a01ca215f
SHA256 da59dd8cfeb73d2498303dbe4142c230923c7aa6032e92cf9411338e54ccb01e
SHA512 5eb745a1e163bb0de311f7b7bda0b6fc69984879438e968f0e1c153f8a7946ba24e16332e2eb0f3ae0210afcfe26e37c52fbc41208e537070387d86aab717afd

memory/1396-114-0x0000000002850000-0x0000000002860000-memory.dmp

memory/1396-113-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4336-130-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4800-129-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4800-131-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1396-132-0x0000000005C10000-0x0000000005F64000-memory.dmp

memory/1396-134-0x0000000006660000-0x00000000066AC000-memory.dmp

memory/1396-136-0x0000000075640000-0x000000007568C000-memory.dmp

memory/1396-146-0x0000000007360000-0x0000000007403000-memory.dmp

memory/1396-135-0x000000007F210000-0x000000007F220000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dcfe886df91924bd87a9f6455b0cbbc8
SHA1 701d179ddc4aebb8ace4af908d4f13a7b85db9a7
SHA256 7229005ba03c8e5b45aa6b50eced069e916272c0c54b97feca52784c18afe65b
SHA512 7eb19235fbbed1c071ae6f8ada3d2e08f89d398f9cf4aba7f6c57e908fedeab5b55366c60c790b2c77a5d5a9eb23947e316838bbf9ba9083e164e3f1255fa601

memory/1804-183-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 07:47

Reported

2024-01-28 07:49

Platform

win7-20231129-en

Max time kernel

148s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1936 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmp563B.tmp"

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

Network

N/A

Files

memory/1936-1-0x0000000074990000-0x000000007507E000-memory.dmp

memory/1936-0-0x0000000000AA0000-0x0000000000B2C000-memory.dmp

memory/1936-2-0x0000000004E20000-0x0000000004E60000-memory.dmp

memory/1936-3-0x0000000000210000-0x0000000000224000-memory.dmp

memory/1936-4-0x0000000000250000-0x000000000025A000-memory.dmp

memory/1936-5-0x00000000002E0000-0x00000000002EE000-memory.dmp

memory/1936-6-0x00000000020C0000-0x0000000002122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp563B.tmp

MD5 8799976004a4621dac11fd523e8ff5d7
SHA1 1e196a06adfb9f77355563f2bd378687a1cfb814
SHA256 e7c959277c76c61fcd8c31c06ed4a54c99dcae7955fa7986a8e40b61bb0d5a0f
SHA512 f1a2ffd5bc321109adcb7a6deacaf43dd5e4a9742c63ec1416c7cb284e171bfc79dd69d52f403c839c81092fe4f6f9b0af8903fd4db6cc44abca4abece1d6617

memory/2584-14-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2584-16-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2584-19-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1936-18-0x0000000074990000-0x000000007507E000-memory.dmp

memory/2584-20-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2584-21-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2584-23-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2584-25-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2092-27-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2092-28-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2092-29-0x0000000002AC0000-0x0000000002B00000-memory.dmp

memory/2092-31-0x0000000002AC0000-0x0000000002B00000-memory.dmp

memory/1936-32-0x0000000004E20000-0x0000000004E60000-memory.dmp

memory/2092-30-0x0000000002AC0000-0x0000000002B00000-memory.dmp

memory/2092-33-0x000000006ED50000-0x000000006F2FB000-memory.dmp