Malware Analysis Report

2025-01-22 14:19

Sample ID 240220-grckascd7t
Target d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
SHA256 d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e

Threat Level: Known bad

The file d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Detects executables embedding command execution via IExecuteCommand COM object

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 06:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 06:01

Reported

2024-02-20 06:04

Platform

win7-20231215-en

Max time kernel

137s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A
N/A N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Drivers = "C:\\Users\\Admin\\Documents\\IntelDrivers.exe" C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 2780 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2780 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2780 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2780 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 2148 wrote to memory of 1568 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sgh2024.ddns.net udp
RO 82.137.32.65:5200 sgh2024.ddns.net tcp
RO 82.137.32.65:5200 sgh2024.ddns.net tcp
RO 82.137.32.65:5200 sgh2024.ddns.net tcp

Files

memory/1684-0-0x0000000000350000-0x00000000003E8000-memory.dmp

memory/1684-1-0x0000000074C80000-0x000000007536E000-memory.dmp

memory/1684-2-0x0000000004810000-0x0000000004850000-memory.dmp

memory/1684-3-0x00000000006D0000-0x00000000006EC000-memory.dmp

memory/1684-4-0x0000000001F00000-0x0000000001F12000-memory.dmp

memory/1684-5-0x0000000004890000-0x00000000048F8000-memory.dmp

memory/1684-6-0x0000000074C80000-0x000000007536E000-memory.dmp

memory/1684-7-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2780-10-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-14-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-17-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-18-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-16-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-12-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-8-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-21-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2780-23-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1684-24-0x0000000074C80000-0x000000007536E000-memory.dmp

memory/2780-25-0x0000000000400000-0x000000000055A000-memory.dmp

\Users\Admin\Documents\IntelDrivers.exe

MD5 3abd65d34fbbd87ce50eaa1b0eb439d0
SHA1 ff225553cca948f35a0765f48b5b146f43bb4203
SHA256 d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
SHA512 3ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616

memory/2780-35-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2148-37-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2148-36-0x0000000000EA0000-0x0000000000F38000-memory.dmp

memory/2148-38-0x0000000000C10000-0x0000000000C50000-memory.dmp

memory/2148-39-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/1568-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1568-54-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2148-55-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/1568-56-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1568-57-0x0000000000400000-0x000000000055A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 06:01

Reported

2024-02-20 06:04

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Drivers = "C:\\Users\\Admin\\Documents\\IntelDrivers.exe" C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\IntelDrivers.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 452 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe
PID 4936 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4936 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4936 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 3992 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 3992 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 3992 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2652 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2652 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2652 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe
PID 4140 wrote to memory of 2800 N/A C:\Users\Admin\Documents\IntelDrivers.exe C:\Users\Admin\Documents\IntelDrivers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe

"C:\Users\Admin\AppData\Local\Temp\d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

C:\Users\Admin\Documents\IntelDrivers.exe

"C:\Users\Admin\Documents\IntelDrivers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 sgh2024.ddns.net udp
RO 82.137.32.65:5200 sgh2024.ddns.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RO 82.137.32.65:5200 sgh2024.ddns.net tcp
RO 82.137.32.65:5200 sgh2024.ddns.net tcp

Files

memory/452-1-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/452-0-0x00000000009F0000-0x0000000000A88000-memory.dmp

memory/452-2-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/452-3-0x0000000005480000-0x0000000005512000-memory.dmp

memory/452-4-0x0000000005630000-0x0000000005640000-memory.dmp

memory/452-5-0x0000000005470000-0x000000000547A000-memory.dmp

memory/452-6-0x0000000006AA0000-0x0000000006ABC000-memory.dmp

memory/452-7-0x0000000006AD0000-0x0000000006AE2000-memory.dmp

memory/452-8-0x0000000006D60000-0x0000000006DC8000-memory.dmp

memory/452-9-0x00000000093C0000-0x000000000945C000-memory.dmp

memory/452-10-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/452-11-0x0000000005630000-0x0000000005640000-memory.dmp

memory/4936-12-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4936-15-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4936-17-0x0000000000400000-0x000000000055A000-memory.dmp

memory/452-16-0x00000000745F0000-0x0000000074DA0000-memory.dmp

C:\Users\Admin\Documents\IntelDrivers.exe

MD5 3abd65d34fbbd87ce50eaa1b0eb439d0
SHA1 ff225553cca948f35a0765f48b5b146f43bb4203
SHA256 d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
SHA512 3ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616

memory/4936-22-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4140-23-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/4140-24-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4140-25-0x00000000052C0000-0x00000000052D2000-memory.dmp

memory/4140-26-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2800-33-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4140-35-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2800-34-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2800-36-0x0000000000400000-0x000000000055A000-memory.dmp