Malware Analysis Report

2025-01-22 14:19

Sample ID 240215-wwdqgsdg23
Target 9e3ab2e7f5e0800dcd95225fd81209e4
SHA256 a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0

Threat Level: Known bad

The file 9e3ab2e7f5e0800dcd95225fd81209e4 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

CustAttr .NET packer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 18:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 18:15

Reported

2024-02-15 18:18

Platform

win7-20231215-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2332 set thread context of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2012 set thread context of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 2332 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 1100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 1100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 1100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1512 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1512 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1512 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1512 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 2996 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 2996 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 2996 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 2996 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2012 wrote to memory of 1564 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30.tmp"

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD5D.tmp"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 warzonlogs.duckdns.org udp
MX 136.144.41.81:5200 warzonlogs.duckdns.org tcp
MX 136.144.41.81:5200 warzonlogs.duckdns.org tcp

Files

memory/2332-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2332-0-0x00000000009D0000-0x0000000000B00000-memory.dmp

memory/2332-2-0x0000000004310000-0x0000000004350000-memory.dmp

memory/2332-3-0x0000000000390000-0x00000000003A2000-memory.dmp

memory/2332-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2332-5-0x0000000004310000-0x0000000004350000-memory.dmp

memory/2332-6-0x00000000049A0000-0x0000000004A2C000-memory.dmp

memory/2332-7-0x00000000005D0000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp30.tmp

MD5 ba2fc347d304952c8de42235a12fc4dd
SHA1 dc248085990ecfcef33ebd41a918e4e91ca4a6b6
SHA256 f7995844c542bf647801a37cb2d662d11b222ca8cded7fe8a20664f031521cec
SHA512 78fc81c7f87193e7a93b2bea11f2d1b03be51e7aaf8ebab77ffadf611fef3d7dc507f40f010dbc0077f8ed6682e8d8282211430dca30070c1337c9a462d84fd9

memory/1100-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-23-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-25-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1100-29-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1100-31-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2332-32-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1100-33-0x0000000000400000-0x0000000000554000-memory.dmp

\ProgramData\images.exe

MD5 9e3ab2e7f5e0800dcd95225fd81209e4
SHA1 c7caae28067a798e4f592ec157b5f779aae87344
SHA256 a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0
SHA512 07516d474e51194e05aca5f07037d388c55ce02c94f13a48d691ba43d3629ae28f90e08524db01e994020140f5539d52b333afb6c10b3e5d4c2349f2c2bb9d22

memory/2012-42-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/2012-41-0x0000000000230000-0x0000000000360000-memory.dmp

memory/1100-40-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2012-43-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/2012-44-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2012-45-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/2012-46-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/1564-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1564-67-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2012-68-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/1564-69-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1564-70-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 18:15

Reported

2024-02-15 18:18

Platform

win10v2004-20231222-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\ProgramData\images.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1916 set thread context of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1960 set thread context of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1916 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 4372 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 4372 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 4372 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1960 wrote to memory of 1920 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4C0.tmp"

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe

"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC68.tmp"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 warzonlogs.duckdns.org udp
MX 136.144.41.81:5200 warzonlogs.duckdns.org tcp
MX 136.144.41.81:5200 warzonlogs.duckdns.org tcp
MX 136.144.41.81:5200 warzonlogs.duckdns.org tcp

Files

memory/1916-0-0x0000000000480000-0x00000000005B0000-memory.dmp

memory/1916-1-0x0000000074860000-0x0000000075010000-memory.dmp

memory/1916-2-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/1916-3-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/1916-4-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1916-5-0x0000000005040000-0x000000000504A000-memory.dmp

memory/1916-6-0x00000000052D0000-0x000000000536C000-memory.dmp

memory/1916-7-0x0000000005060000-0x0000000005072000-memory.dmp

memory/1916-8-0x0000000074860000-0x0000000075010000-memory.dmp

memory/1916-9-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1916-10-0x0000000005FC0000-0x000000000604C000-memory.dmp

memory/1916-11-0x0000000005CF0000-0x0000000005D12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF4C0.tmp

MD5 e536b4c0b440384b272d09a19b1ae7d5
SHA1 2fa64109ad69064e2c0645845e665eaca579cf2a
SHA256 f2b084597de0f7292a0d68357d8fd1b0346d848dafa63d1000c03d9eb8dd836d
SHA512 13f074fbb1c85f01a08fbcf2d1f1a19b55456d93497e6edad361110c679eb181d4535ae73b54b4dfb7cd1a1f10d9aaa6389e3ae0028034aa725c467a7809e951

memory/1540-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1540-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1916-21-0x0000000074860000-0x0000000075010000-memory.dmp

memory/1540-22-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\images.exe

MD5 9e3ab2e7f5e0800dcd95225fd81209e4
SHA1 c7caae28067a798e4f592ec157b5f779aae87344
SHA256 a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0
SHA512 07516d474e51194e05aca5f07037d388c55ce02c94f13a48d691ba43d3629ae28f90e08524db01e994020140f5539d52b333afb6c10b3e5d4c2349f2c2bb9d22

memory/1540-27-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1960-28-0x00000000740C0000-0x0000000074870000-memory.dmp

memory/1960-29-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/1960-30-0x0000000004730000-0x0000000004742000-memory.dmp

memory/1960-31-0x00000000740C0000-0x0000000074870000-memory.dmp

memory/1960-32-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

C:\ProgramData\images.exe

MD5 907e8de94742ded80a9560ff0fc0f55e
SHA1 3b968b957bc33d5611a1b4292bb1c671ad44439d
SHA256 e0cc36e41fe9551d741461677a97dd85a1873c12f4bfe0630849f704b86da294
SHA512 fa29c45556101395223b20504253c1246011d164349c1387f909ede49ed68d1693b10f7e2f69b730b691bce56284c06a283dd6e2f9b69f343ffbacbb8597017f

memory/1920-39-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1920-41-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1960-40-0x00000000740C0000-0x0000000074870000-memory.dmp

memory/1920-42-0x0000000000400000-0x0000000000554000-memory.dmp