Malware Analysis Report

2025-01-22 14:19

Sample ID 240219-b7jewsgh92
Target 3abd65d34fbbd87ce50eaa1b0eb439d0.exe
SHA256 d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
Tags
warzonerat infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e

Threat Level: Known bad

The file 3abd65d34fbbd87ce50eaa1b0eb439d0.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat spyware stealer

WarzoneRat, AveMaria

Warzone RAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-19 01:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 01:47

Reported

2024-02-19 01:49

Platform

win7-20231215-en

Max time kernel

121s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A
N/A N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Drivers = "C:\\Users\\Admin\\Documents\\IntelDrivers.exe" C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 1916 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 2556 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2556 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2556 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2556 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2380 wrote to memory of 1556 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sgh2024.ddns.net udp
DE 172.94.111.9:5200 sgh2024.ddns.net tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp

Files

memory/1916-0-0x00000000000D0000-0x0000000000168000-memory.dmp

memory/1916-1-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/1916-2-0x0000000004ED0000-0x0000000004F10000-memory.dmp

memory/1916-3-0x0000000000430000-0x000000000044C000-memory.dmp

memory/1916-4-0x0000000000460000-0x0000000000472000-memory.dmp

memory/1916-5-0x0000000004E50000-0x0000000004EB8000-memory.dmp

memory/1916-6-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/1916-7-0x0000000004ED0000-0x0000000004F10000-memory.dmp

memory/2556-8-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-9-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-10-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-11-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-12-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-13-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-14-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2556-17-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1916-20-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2556-19-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2556-21-0x0000000000400000-0x000000000055A000-memory.dmp

\Users\Admin\Documents\IntelDrivers.exe

MD5 3abd65d34fbbd87ce50eaa1b0eb439d0
SHA1 ff225553cca948f35a0765f48b5b146f43bb4203
SHA256 d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
SHA512 3ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616

memory/2556-31-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2380-32-0x0000000000360000-0x00000000003F8000-memory.dmp

memory/2380-34-0x00000000049B0000-0x00000000049F0000-memory.dmp

memory/2380-33-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/2380-35-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/1556-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2380-52-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/1556-53-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1556-54-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1556-55-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1556-56-0x0000000005270000-0x0000000005370000-memory.dmp

memory/1556-57-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1556-58-0x0000000000400000-0x000000000055A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 01:47

Reported

2024-02-19 01:49

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Drivers = "C:\\Users\\Admin\\Documents\\IntelDrivers.exe" C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 228 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
PID 5000 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 5000 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 5000 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1956 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1956 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1956 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 2656 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 2656 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 2656 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 3408 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 3408 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 3408 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2320 wrote to memory of 1236 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe

"C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 sgh2024.ddns.net udp
DE 172.94.111.9:5200 sgh2024.ddns.net tcp
US 8.8.8.8:53 9.111.94.172.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/228-0-0x0000000000C10000-0x0000000000CA8000-memory.dmp

memory/228-1-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/228-2-0x0000000005B60000-0x0000000006104000-memory.dmp

memory/228-3-0x0000000005690000-0x0000000005722000-memory.dmp

memory/228-4-0x0000000005830000-0x0000000005840000-memory.dmp

memory/228-5-0x0000000005840000-0x000000000584A000-memory.dmp

memory/228-6-0x0000000005980000-0x000000000599C000-memory.dmp

memory/228-7-0x0000000005AD0000-0x0000000005AE2000-memory.dmp

memory/228-8-0x0000000006FB0000-0x0000000007018000-memory.dmp

memory/228-9-0x0000000009600000-0x000000000969C000-memory.dmp

memory/228-10-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/228-11-0x0000000005830000-0x0000000005840000-memory.dmp

memory/5000-12-0x0000000000400000-0x000000000055A000-memory.dmp

memory/5000-15-0x0000000000400000-0x000000000055A000-memory.dmp

memory/228-16-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/5000-17-0x0000000000400000-0x000000000055A000-memory.dmp

C:\Users\Admin\Documents\IntelDrivers.exe

MD5 3abd65d34fbbd87ce50eaa1b0eb439d0
SHA1 ff225553cca948f35a0765f48b5b146f43bb4203
SHA256 d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
SHA512 3ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616

memory/5000-22-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2320-23-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/2320-24-0x0000000005450000-0x0000000005460000-memory.dmp

memory/2320-25-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/2320-26-0x0000000005450000-0x0000000005460000-memory.dmp

memory/2320-35-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1236-34-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1236-36-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1236-37-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1236-38-0x000000000AFD0000-0x000000000B170000-memory.dmp

memory/1236-39-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1236-40-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1236-44-0x000000000B580000-0x000000000B604000-memory.dmp