Malware Analysis Report

2025-03-15 06:28

Sample ID 240131-h7j5rafbf9
Target 83cf1c8f4ccefbaf6881bf3d47236184
SHA256 5b185af278fe0bdf4ed8724f98efa63f50c2bfc5a3d704d31e7a1d08a8089d39
Tags
warzonerat zgrat infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b185af278fe0bdf4ed8724f98efa63f50c2bfc5a3d704d31e7a1d08a8089d39

Threat Level: Known bad

The file 83cf1c8f4ccefbaf6881bf3d47236184 was found to be: Known bad.

Malicious Activity Summary

warzonerat zgrat infostealer rat trojan

Detects BazaLoader malware

WarzoneRat, AveMaria

ZGRat

Detect ZGRat V1

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-31 07:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 07:22

Reported

2024-01-31 07:25

Platform

win7-20231215-en

Max time kernel

155s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

ZGRat

rat zgrat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 548 set thread context of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2776 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2600 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 2600 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 2600 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 2600 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 528 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 528 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 528 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 528 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 548 wrote to memory of 1000 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 1000 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe

"C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe"

C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe

C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

C:\Users\Admin\AppData\Local\Temp\images.exe

C:\Users\Admin\AppData\Local\Temp\images.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
FR 172.217.20.174:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 142.250.74.228:80 www.google.com tcp
FR 172.217.20.174:80 google.com tcp
FR 142.250.74.228:80 www.google.com tcp
US 8.8.8.8:53 sdafsdffssffs.ydns.eu udp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp

Files

memory/2776-0-0x0000000000BA0000-0x0000000000C0A000-memory.dmp

memory/2776-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2776-2-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2776-3-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2776-4-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2776-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2776-6-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2776-7-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2776-8-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2776-9-0x0000000004EF0000-0x0000000004F54000-memory.dmp

memory/2776-10-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-11-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-13-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-15-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-17-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-19-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-21-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-23-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-25-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-27-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-29-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-31-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-33-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-35-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-37-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-39-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-41-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-43-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-45-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-47-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-49-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-51-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-53-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-55-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-57-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-59-0x0000000004EF0000-0x0000000004F4D000-memory.dmp

memory/2776-60-0x0000000005E30000-0x0000000005E94000-memory.dmp

memory/2776-61-0x0000000008140000-0x00000000081A4000-memory.dmp

memory/2776-62-0x0000000008310000-0x000000000836E000-memory.dmp

memory/2776-63-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-64-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-66-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-68-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-70-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-72-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-74-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-76-0x0000000008310000-0x0000000008369000-memory.dmp

memory/2776-1974-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2600-1975-0x0000000000400000-0x000000000055E000-memory.dmp

\ProgramData\images.exe

MD5 83cf1c8f4ccefbaf6881bf3d47236184
SHA1 81b2b3c9962892d5a4d7bcd9c8a51ab02a8809bb
SHA256 5b185af278fe0bdf4ed8724f98efa63f50c2bfc5a3d704d31e7a1d08a8089d39
SHA512 0d91b62501faf983bfcd54718f1ca031e69cfc2bb0251dc5a09aa765eae4be741f1b2116baba70e096569a69214b80886f8ab67ee5b50cbbe7762663cd586e39

memory/548-1983-0x00000000012D0000-0x000000000133A000-memory.dmp

memory/548-1984-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2600-1981-0x0000000000400000-0x000000000055E000-memory.dmp

memory/548-1985-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/548-1986-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/548-1987-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/548-1988-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/548-2039-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/548-2040-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/548-3957-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/1000-3958-0x0000000000400000-0x000000000055E000-memory.dmp

memory/896-3966-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1000-3967-0x0000000000400000-0x000000000055E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 07:22

Reported

2024-01-31 07:25

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

ZGRat

rat zgrat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\images.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3096 set thread context of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 2984 set thread context of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 3096 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe
PID 4056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 4056 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 4056 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe C:\ProgramData\images.exe
PID 2276 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 2984 wrote to memory of 1492 N/A C:\ProgramData\images.exe C:\Users\Admin\AppData\Local\Temp\images.exe
PID 1492 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe

"C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe"

C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe

C:\Users\Admin\AppData\Local\Temp\83cf1c8f4ccefbaf6881bf3d47236184.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

C:\Users\Admin\AppData\Local\Temp\images.exe

C:\Users\Admin\AppData\Local\Temp\images.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
FR 172.217.20.174:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 142.250.74.228:80 www.google.com tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
FR 172.217.20.174:80 google.com tcp
FR 142.250.74.228:80 www.google.com tcp
US 8.8.8.8:53 sdafsdffssffs.ydns.eu udp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp
NL 45.66.230.36:6703 sdafsdffssffs.ydns.eu tcp

Files

memory/3096-1-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/3096-0-0x0000000000110000-0x000000000017A000-memory.dmp

memory/3096-2-0x0000000005150000-0x00000000056F4000-memory.dmp

memory/3096-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

memory/3096-4-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3096-5-0x0000000004B80000-0x0000000004B8A000-memory.dmp

memory/3096-6-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/3096-10-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-28-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-40-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-58-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-59-0x00000000070B0000-0x0000000007126000-memory.dmp

memory/3096-56-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-54-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-60-0x00000000072B0000-0x000000000730E000-memory.dmp

memory/3096-70-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-74-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-72-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-68-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-66-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-64-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-62-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-61-0x00000000072B0000-0x0000000007309000-memory.dmp

memory/3096-52-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-50-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-48-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-46-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-44-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-42-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-38-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-36-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-34-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-32-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-30-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-26-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-24-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-22-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-20-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-18-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-16-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-14-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-12-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-9-0x0000000006FB0000-0x000000000700D000-memory.dmp

memory/3096-8-0x0000000006FB0000-0x0000000007014000-memory.dmp

memory/3096-7-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3096-1630-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3096-1962-0x0000000007330000-0x000000000734E000-memory.dmp

memory/3096-1967-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4056-1968-0x0000000000400000-0x000000000055E000-memory.dmp

C:\ProgramData\images.exe

MD5 b4ac62da4f1f5c8543ab1f8354f36fb1
SHA1 028ff06f044f23e44c159a33cdc79aafbb87f3cc
SHA256 2d953eb5ae845dcdc7ca52c7d3b0d6a4bad2fd51365618bea056f84c9fbe408e
SHA512 15e267805456149b16ebb29f0b5ba722c8d922c0988237bcb104f228e29945d29bb8714a73fde1bf35c86beb9f2893d7e1871fdd8b85066c52f7e6df110994cf

memory/4056-1973-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2984-1974-0x0000000073E50000-0x0000000074600000-memory.dmp

C:\ProgramData\images.exe

MD5 5e00181cf94efdd89bc0ddafa8bbfc51
SHA1 a470fc51ceb53f21f053bc61e6bf404964752a61
SHA256 add1629a7d6e5958aa52cac505d359937dd31ac576d79488c5a34d3d50c25bc7
SHA512 dcb1304d93899d99b837cd6bb90879b565a48295ffff62a32ecfda4906debbf199d3db3d076ac58e2a2f9c1494ad32d82856301077664e1679a7e21306079a46

memory/2984-1975-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2984-1976-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/2984-1978-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2984-3692-0x0000000005240000-0x0000000005250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\images.exe

MD5 83cf1c8f4ccefbaf6881bf3d47236184
SHA1 81b2b3c9962892d5a4d7bcd9c8a51ab02a8809bb
SHA256 5b185af278fe0bdf4ed8724f98efa63f50c2bfc5a3d704d31e7a1d08a8089d39
SHA512 0d91b62501faf983bfcd54718f1ca031e69cfc2bb0251dc5a09aa765eae4be741f1b2116baba70e096569a69214b80886f8ab67ee5b50cbbe7762663cd586e39

memory/2984-3937-0x0000000073E50000-0x0000000074600000-memory.dmp

memory/1492-3938-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1492-3941-0x0000000000400000-0x000000000055E000-memory.dmp