Malware Analysis Report

2025-03-15 06:28

Sample ID 240203-asn66afbbr
Target 8aec3e39d7221708dfb0097ee6b65ae6
SHA256 633f9eb118305c7063574e56cf161e00a2a471b6257d73c98fa6ca6378f27866
Tags
warzonerat infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

633f9eb118305c7063574e56cf161e00a2a471b6257d73c98fa6ca6378f27866

Threat Level: Known bad

The file 8aec3e39d7221708dfb0097ee6b65ae6 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat trojan

WarzoneRat, AveMaria

Detects BazaLoader malware

Warzone RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 00:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 00:28

Reported

2024-02-03 00:31

Platform

win7-20231129-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2944 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\DriverReviver.exe = "11001" C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe
PID 2944 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe
PID 2944 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe
PID 2944 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe

"C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 248

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

"C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 in.appcenter.ms udp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 52.232.209.85:443 in.appcenter.ms tcp

Files

memory/2944-0-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2944-1-0x0000000000930000-0x0000000002532000-memory.dmp

memory/2944-2-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/2944-3-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2944-4-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/2652-5-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-6-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-7-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-8-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2652-11-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-9-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-14-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-16-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-19-0x0000000000400000-0x000000000055E000-memory.dmp

\Users\Admin\AppData\Local\Temp\DriverReviver.exe

MD5 340d9d4149067e9f7bc9dae00c464b02
SHA1 ae581de6deb0c0797dacbe65cae74861c7ca0023
SHA256 31314d7ca67e981d63fe3fe74ac848e630b89c84b75b6cec85187791ec26b4db
SHA512 b945507fd95dfed56462f433f854fb35c90822383eb6972db602348b54eca64e4d344d3ceea19e123b39c8ccf6f2ee70089c2d3ae55a2c7d131fbee2b7ee918e

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

MD5 6ed19ff991abe6ab23cc61ea1bea8d33
SHA1 58858af317bc77f708ccde9eb59fdd585a73ce0a
SHA256 65ddfb4f14fd2dc6a97cafe6228bc3b86085722a1b54837f544f0949c0022df9
SHA512 ba1a0d88d4ba27dbcdf54e52579a106d7c7d9ff081709528f96d3148e36117d2228a48d09deaddf9a6b8baf43f47739cc0b7936457c583fd341f782eaaab8ce5

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

MD5 c3ac31e5cf24b14e04e88cb737c42877
SHA1 e13cf35845312c02744fc6a83a3a10ef47d55a53
SHA256 8127976f3040b16aa9e49765caf022cecce64a28945c299f576191a501766d3a
SHA512 a7ebe829b1fd912eb7c2fdbcb5034a5f4fbd3a086f836e552a14432ac925ddcb19e5f85e5448232b7f2abb159c5378bcfed1bfc2d5216c3a4cc19ad0e4369ce0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1615.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 59805195d43d79ffea529035419e668f
SHA1 cc21985bb4a01005dffd10e1cb6fb9a200d2653c
SHA256 3d2b139a6d329238f080b6c1fc9411626a0a8134f405732cfc68aa9ca745820c
SHA512 61c8fde1e9405ff484638cf0b476ad6027ad03519e5edfcb99c395b819574d98765a23ed361d9e0f918ddd5f970d9e523d10729265f8990910d45d948d32140e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 00:28

Reported

2024-02-03 00:31

Platform

win10v2004-20231222-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\DriverReviver.exe = "11001" C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe
PID 1172 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe
PID 1172 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe
PID 1172 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4948 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4948 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4952 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\326324\326324.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe

"C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

"C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\326324\326324.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8aec3e39d7221708dfb0097ee6b65ae6.exe" "C:\Users\Admin\AppData\Roaming\326324\326324.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\326324\326324.exe'" /f

C:\Users\Admin\AppData\Roaming\326324\326324.exe

C:\Users\Admin\AppData\Roaming\326324\326324.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2340 -ip 2340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1740

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:80 www.google.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 in.appcenter.ms udp
US 40.70.161.102:443 in.appcenter.ms tcp
NL 95.168.173.176:5200 tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 102.161.70.40.in-addr.arpa udp
US 8.8.8.8:53 72.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 95.168.173.176:5200 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 95.168.173.176:5200 tcp
NL 95.168.173.176:5200 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 95.168.173.176:5200 tcp
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 google.com tcp
GB 142.250.178.4:80 www.google.com tcp
NL 95.168.173.176:5200 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1172-0-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/1172-1-0x0000000000E80000-0x0000000002A82000-memory.dmp

memory/1172-2-0x00000000079E0000-0x0000000007F84000-memory.dmp

memory/1172-3-0x0000000007380000-0x0000000007412000-memory.dmp

memory/1172-4-0x0000000007430000-0x0000000007496000-memory.dmp

memory/1172-5-0x0000000007370000-0x0000000007380000-memory.dmp

memory/1172-6-0x0000000007810000-0x000000000781A000-memory.dmp

memory/3356-7-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3356-10-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3356-11-0x0000000000400000-0x000000000055E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

MD5 229aac217b6c51316a7cc85ed25e0afa
SHA1 93b54f651da0072ee3de6bf9d52bc842dc66703a
SHA256 564b3d6f688b3c54a47a1d2499216282fb2eb8f994a5e51a966cdec7957b1582
SHA512 392a36d1abad13687a7bb8e6866e9c7d54b3821195ae8901b0d9fc1bc4f26e231f48988049523fe1369ea9e6d9f236389008c066e4faea31a3c95332c5f36fbf

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

MD5 b7b58b1b23b6b86767c9b0698c93cf3f
SHA1 799155d925ebedc0a6b8085681a305e8499b3d7b
SHA256 6890c1d80261835bafdb6b5f02450261e7a2291beb2978e9c839258d9224c208
SHA512 cf31f48f2fc325051e8ed00077c21c1b952c95663d1b17e668b5cd172b9366d49684028d1fe77a2acb137cb71528fdbe1fa84632a2095dbc03a751787b25d908

C:\Users\Admin\AppData\Local\Temp\DriverReviver.exe

MD5 61128c6a02e3350f9411fdaac30e088d
SHA1 21c549d6e0caa58c76c380f456fdd09d5ac2cf3b
SHA256 dbb08d76f0657edb20acdeee6f91ac183c8e0b79ddb47b7b843abe62a57c66ed
SHA512 c512605074f1d4b154a18ceca7a285b89005c54995e2bf6930584ad0b4415fbb29cd41e26c81e749e21cc19d42161a34e81ebf6e6c79aa01d22fa54ec1cd3365

memory/1172-50-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/1172-51-0x0000000007370000-0x0000000007380000-memory.dmp

memory/3356-52-0x0000000000400000-0x000000000055E000-memory.dmp

C:\Users\Admin\AppData\Roaming\326324\326324.exe

MD5 2f3e247c45825120899a3904713b480c
SHA1 9282ee8c628d2fbf5da37be7b6ba20040b769e38
SHA256 a42e8d2cb57ad55ff4abc72bc69c5f6f69b237f1e89d7fa414909fdb7e9e41f6
SHA512 113f754442f18d2f87d4fe2a512b7b6a01f4942b73394880e0693ddaeed4d5c972060b707b724e3ff210b9aaa14d6e5e4e885cf548f71d11cb1129d6117719a2

C:\Users\Admin\AppData\Roaming\326324\326324.exe

MD5 74372598021dffe91b83f666364cdd08
SHA1 af83b4d54dac222952284dbcebbb7a57bc1fdb7e
SHA256 e6f89bf827127b05c15c4f16083e13682259e7ec2cde1e944447b25d080e0490
SHA512 fb72248bd7b69f4df323c7a29e9d8a582acf1a47d193dffdabdcf3d79a9a1ed7992d0c7eeee77dd0700b98aa6fc8b8b0b59be7fd49346afa7380b9404db92c7c

memory/4952-57-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/4952-58-0x0000000000A80000-0x0000000002682000-memory.dmp

memory/4952-59-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

memory/2340-65-0x0000000000830000-0x000000000098E000-memory.dmp

memory/2340-69-0x0000000000830000-0x000000000098E000-memory.dmp

memory/4952-70-0x0000000074B80000-0x0000000075330000-memory.dmp