Malware Analysis Report

2025-01-22 14:18

Sample ID 240226-1mh13ahc9z
Target a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
SHA256 a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

Threat Level: Known bad

The file a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Detects executables embedding command execution via IExecuteCommand COM object

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 21:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 21:45

Reported

2024-02-26 21:48

Platform

win7-20240221-en

Max time kernel

135s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PJyjqaDnYyPE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PJyjqaDnYyPE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCD.tmp"

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

Network

Country Destination Domain Proto
JP 146.70.76.43:43206 tcp
JP 146.70.76.43:43206 tcp
JP 146.70.76.43:43206 tcp
JP 146.70.76.43:43206 tcp

Files

memory/1976-0-0x00000000002B0000-0x00000000003C8000-memory.dmp

memory/1976-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/1976-2-0x0000000001F40000-0x0000000001F80000-memory.dmp

memory/1976-3-0x00000000006D0000-0x00000000006E8000-memory.dmp

memory/1976-4-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/1976-5-0x0000000001F40000-0x0000000001F80000-memory.dmp

memory/1976-6-0x0000000008160000-0x0000000008256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCCD.tmp

MD5 b4fe84fb699133c1ec258e61c669cc11
SHA1 66cece17131f3d668bc068359ac3475b7135cdc7
SHA256 549809f0b60578d25ca4cd2bb80a074ff803af7acd7c3046be404d9cc57a8986
SHA512 6cb9e05e8814b8798fea8feb8cdff137dbe1144eb1c3353c3a647c44801390c4dcd93e6ec1c9f3584460f1bd054781dd77976ebc0f9bb9dbbb8813c9d4f7d81f

memory/1976-14-0x00000000021D0000-0x00000000021FC000-memory.dmp

memory/2736-15-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2736-16-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2736-17-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2736-18-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2736-19-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2736-20-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2736-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2736-24-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2492-23-0x000000006F240000-0x000000006F7EB000-memory.dmp

memory/2492-25-0x000000006F240000-0x000000006F7EB000-memory.dmp

memory/2492-27-0x00000000022A0000-0x00000000022E0000-memory.dmp

memory/2492-29-0x00000000022A0000-0x00000000022E0000-memory.dmp

memory/2492-28-0x00000000022A0000-0x00000000022E0000-memory.dmp

memory/2736-30-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1976-31-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/2736-32-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2492-33-0x000000006F240000-0x000000006F7EB000-memory.dmp

memory/2736-34-0x0000000000400000-0x000000000055E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 21:45

Reported

2024-02-26 21:48

Platform

win10v2004-20240226-en

Max time kernel

126s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe
PID 1004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PJyjqaDnYyPE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PJyjqaDnYyPE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1AD6.tmp"

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe

"C:\Users\Admin\AppData\Local\Temp\a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
GB 172.217.16.234:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
JP 146.70.76.43:43206 tcp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
JP 146.70.76.43:43206 tcp
JP 146.70.76.43:43206 tcp
JP 146.70.76.43:43206 tcp

Files

memory/1004-1-0x0000000000080000-0x0000000000198000-memory.dmp

memory/1004-0-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/1004-2-0x00000000051B0000-0x0000000005754000-memory.dmp

memory/1004-3-0x0000000004C00000-0x0000000004C92000-memory.dmp

memory/1004-4-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/1004-5-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

memory/1004-6-0x0000000004E40000-0x0000000004E58000-memory.dmp

memory/1004-7-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/1004-8-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/1004-9-0x0000000005F00000-0x0000000005F9C000-memory.dmp

memory/1004-10-0x0000000006090000-0x0000000006186000-memory.dmp

memory/3780-15-0x00000000028E0000-0x0000000002916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1AD6.tmp

MD5 b6896a4b16a272d061553a61401c1528
SHA1 e68c5e2721cff2b2213593f2340b425d114d466d
SHA256 e284a9b90af3786166c17b732298453ec5bb3418e82265be262af74085715216
SHA512 bfacbf057a38178023138b51867d59dfe264f807e08cde9ae0232c9d4e8ec4fc113b3c8507fd893839b34482ba481f46f905803e832549bade7db05d4bab9663

memory/3780-17-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3780-19-0x0000000002890000-0x00000000028A0000-memory.dmp

memory/1004-18-0x0000000006180000-0x00000000061AC000-memory.dmp

memory/3780-21-0x00000000052C0000-0x00000000058E8000-memory.dmp

memory/3780-20-0x0000000002890000-0x00000000028A0000-memory.dmp

memory/3004-22-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3780-25-0x00000000051F0000-0x0000000005212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1gkdbu0.xgz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3780-27-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/3004-35-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1004-34-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3780-33-0x0000000005B50000-0x0000000005BB6000-memory.dmp

memory/3004-26-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3780-40-0x0000000005CC0000-0x0000000006014000-memory.dmp

memory/3780-41-0x00000000061D0000-0x00000000061EE000-memory.dmp

memory/3780-42-0x0000000006220000-0x000000000626C000-memory.dmp

memory/3780-43-0x0000000002890000-0x00000000028A0000-memory.dmp

memory/3780-44-0x000000007F690000-0x000000007F6A0000-memory.dmp

memory/3780-45-0x00000000067B0000-0x00000000067E2000-memory.dmp

memory/3780-46-0x0000000071C60000-0x0000000071CAC000-memory.dmp

memory/3780-56-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/3780-57-0x00000000071B0000-0x0000000007253000-memory.dmp

memory/3780-58-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/3780-59-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/3780-60-0x0000000007550000-0x000000000755A000-memory.dmp

memory/3780-61-0x0000000007760000-0x00000000077F6000-memory.dmp

memory/3780-62-0x00000000076E0000-0x00000000076F1000-memory.dmp

memory/3780-63-0x0000000007710000-0x000000000771E000-memory.dmp

memory/3780-64-0x0000000007720000-0x0000000007734000-memory.dmp

memory/3780-65-0x0000000007820000-0x000000000783A000-memory.dmp

memory/3780-66-0x0000000007800000-0x0000000007808000-memory.dmp

memory/3780-68-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3004-69-0x0000000000400000-0x000000000055E000-memory.dmp