Overview

overview

10

Static

static

1

sample.html

windows7-x64

1

sample.html

windows10-2004-x64

10

Resubmissions

19-03-2024 09:13

240319-k6zvxsgf6x 10

19-03-2024 09:08

240319-k38cwsge7z 1

Analysis

  • max time kernel
    326s
  • max time network
    330s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.html

  • Size

    88KB

  • MD5

    fa1f40ef09d084500e63cec86333d59c

  • SHA1

    cfcb60bb7ddb345bdcb6505b0eedca58f7e93518

  • SHA256

    cdea3f40ff14e31e8afc0810ea6dfea48d79f5d30dbf2b66673aa89546f40cdb

  • SHA512

    e23475b0d98d736ad84555c6c475d239bee6e6619ead4350b94c1ef60ad02b264d95a5cc48221519984972477ec6be984ea1f9e8f7e2571e2712a2a4620c83cc

  • SSDEEP

    1536:ybQBKbTtHnD3A0vuhGyUfjsfzf04PAPlPkpyXIQkvukuyOct:qHnD3AeuUyUfgfzfNPAPlPkpyXINGY

Score
10/10
warzoneratinfostealerratrezer0

Malware Config

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Warzone RAT payload 8 IoCs
    rat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
    1⤵
      PID:2600
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5276 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:4084
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.0.1039771488\1820046915" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc8d2524-9fae-40e9-aaef-28f034b84ede} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 1960 237c32d1458 gpu
          2⤵
            PID:1056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.1.391657204\982473354" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7aaaeb1-a1b3-4286-83d0-ddf7c13bd64a} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 2360 237c2de3558 socket
            2⤵
            • Checks processor information in registry
            PID:3692
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.2.1152291579\1605822291" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3032 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65c75db8-2391-4dd7-a876-5f9fdca402d1} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 3076 237c6eb6e58 tab
            2⤵
              PID:3288
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.3.71161603\1768374472" -childID 2 -isForBrowser -prefsHandle 1284 -prefMapHandle 1280 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bee72036-b6b4-42cb-8d7f-e370d86a5a40} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 2508 237af372b58 tab
              2⤵
                PID:5064
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.4.344274508\1992361955" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3632c6ce-40e4-4fb7-b1b8-89dbf3404250} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 3800 237af362858 tab
                2⤵
                  PID:2004
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.5.1146743481\1457039274" -childID 4 -isForBrowser -prefsHandle 3736 -prefMapHandle 4712 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b032306-efe6-436e-a718-83ee7d78a229} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 4776 237c8e8ef58 tab
                  2⤵
                    PID:5296
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.6.1172651325\1837583047" -childID 5 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28703ada-a7d3-49fc-8549-bbb4a41b4802} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5196 237c8e8e058 tab
                    2⤵
                      PID:5304
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.7.1039095549\724084421" -childID 6 -isForBrowser -prefsHandle 4816 -prefMapHandle 5184 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae0fbf9a-455d-43cb-b856-0f6feb7a0ec0} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5412 237c8e8f258 tab
                      2⤵
                        PID:5332
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5392 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                      1⤵
                        PID:3172
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5080 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:2656
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5544 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                          1⤵
                            PID:4592
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5904 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:5748
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5996 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                              1⤵
                                PID:2960
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=3776 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                1⤵
                                  PID:4136
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5444 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:3428
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=4780 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                    1⤵
                                      PID:2344
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6424 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                      1⤵
                                        PID:2144
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5728 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                        1⤵
                                          PID:4196
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6124 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                          1⤵
                                          • Modifies registry class
                                          PID:1708
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6584 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                          1⤵
                                            PID:3124
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5648 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                            1⤵
                                              PID:4352
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=5636 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                              1⤵
                                                PID:5708
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4980 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                                1⤵
                                                  PID:4396
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=6972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
                                                  1⤵
                                                    PID:448
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5616 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                                    1⤵
                                                      PID:6056
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=5396 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                                      1⤵
                                                        PID:1216
                                                      • C:\Users\Admin\Downloads\WarzoneRAT.exe
                                                        "C:\Users\Admin\Downloads\WarzoneRAT.exe"
                                                        1⤵
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2160
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp604D.tmp"
                                                          2⤵
                                                          • Creates scheduled task(s)
                                                          PID:5464
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                          2⤵
                                                            PID:6088
                                                        • C:\Windows\System32\rundll32.exe
                                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                          1⤵
                                                            PID:5696
                                                          • C:\Users\Admin\Downloads\WarzoneRAT.exe
                                                            "C:\Users\Admin\Downloads\WarzoneRAT.exe"
                                                            1⤵
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:776
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB487.tmp"
                                                              2⤵
                                                              • Creates scheduled task(s)
                                                              PID:3844
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                              2⤵
                                                                PID:3556
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                2⤵
                                                                  PID:5612
                                                              • C:\Users\Admin\Downloads\WarzoneRAT.exe
                                                                "C:\Users\Admin\Downloads\WarzoneRAT.exe"
                                                                1⤵
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1304
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCEA7.tmp"
                                                                  2⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:4832
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                  2⤵
                                                                    PID:1992
                                                                • C:\Windows\system32\taskmgr.exe
                                                                  "C:\Windows\system32\taskmgr.exe" /4
                                                                  1⤵
                                                                  • Checks SCSI registry key(s)
                                                                  • Checks processor information in registry
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:2800

                                                                Network

                                                                MITRE ATT&CK Matrix ATT&CK v13

                                                                Initial Access

                                                                Execution

                                                                Scheduled Task/Job

                                                                1
                                                                T1053

                                                                Persistence

                                                                Scheduled Task/Job

                                                                1
                                                                T1053

                                                                Privilege Escalation

                                                                Scheduled Task/Job

                                                                1
                                                                T1053

                                                                Defense Evasion

                                                                Credential Access

                                                                Discovery

                                                                Query Registry

                                                                3
                                                                T1012

                                                                Peripheral Device Discovery

                                                                1
                                                                T1120

                                                                System Information Discovery

                                                                2
                                                                T1082

                                                                Lateral Movement

                                                                Collection

                                                                Exfiltration

                                                                Command and Control

                                                                Web Service

                                                                1
                                                                T1102

                                                                Impact

                                                                Resource Development

                                                                Reconnaissance

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log
                                                                  Filesize

                                                                  507B

                                                                  MD5

                                                                  8cf94b5356be60247d331660005941ec

                                                                  SHA1

                                                                  fdedb361f40f22cb6a086c808fc0056d4e421131

                                                                  SHA256

                                                                  52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

                                                                  SHA512

                                                                  b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp604D.tmp
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  0363e097717dafc465e10b2c2e851e4a

                                                                  SHA1

                                                                  ab618e2d91ae609cdc2193d167e70c794d9b9118

                                                                  SHA256

                                                                  d4f7b92cfe95411c7b8a817b8f8f75db2b04e40351edbc3bf1d644f872ac562c

                                                                  SHA512

                                                                  6018594ccc73d7bf5a59a5172119878e2c0ad5b0ec053c2388c1321ca185f0468ed14c1caa5a9679e519d1f9013735b143bea2187e0c0a92d67241cfd51dee1e

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  720710f11c64ca923fa0950862ff071a

                                                                  SHA1

                                                                  3547a0b76c8d224256957ded0c311dd73916fb86

                                                                  SHA256

                                                                  5fe9a14e248403061c644661b2cdf402204f470c4b5e267fec808a1873ab8f51

                                                                  SHA512

                                                                  b5c71546d18207be0da6c15a8d09b0e33f6b9390eb75191efec2d823252071c25354d1d69e4718385f235c04c7c7151665d540364e74bc0586e813aae4ce874f

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\9a24efd5-6de1-4793-a365-dc28bbac0474
                                                                  Filesize

                                                                  746B

                                                                  MD5

                                                                  a324d0e955b8e38b1da74e04266dd7f6

                                                                  SHA1

                                                                  2bf59a972b72fd087643cb7db54cc72f117b5062

                                                                  SHA256

                                                                  c98f97098c07eaad29ddc01a91b8e7172b170da1cfb9174f71500a2d0029383b

                                                                  SHA512

                                                                  ec4606e1e035985361e9b2c2fda77d7ad509e18e9c109918474b4a5ec4b167ef6b4e6b4c76f8307066c3ee62c7469f192dcf6cbbd0eeffff06bc0be2db4d9d97

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\a033775e-3a34-4f19-b6c2-8170bc9191e9
                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  27ea4c5b5e508a8489bf83b203bd8914

                                                                  SHA1

                                                                  6ae5a53b2605698d940f5ac23d9c5f87d57f9735

                                                                  SHA256

                                                                  fe6d60a841111adad2f0a7c7612cf37ca63bc6329458386903773530f173ee71

                                                                  SHA512

                                                                  c988ab02c7aca21b9814cd0b92403c84f0fbe7dbac96c2d8b9757b206560db90a4d52fa65d592e85b84c91ce3a0687d1dedb76b8b0894ae72e3d4f28d12cb26f

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  50c04433db2f5d846065a177a17a2148

                                                                  SHA1

                                                                  995c4d65c436a43d10ba61138479890dd79b2b6f

                                                                  SHA256

                                                                  ab951e2dfc6d87f61171edebed6bed1066e31fca465bdbb2c95265d23db98d04

                                                                  SHA512

                                                                  04657be30772c6aa41181d9cb8c2dd5192f5d79867105a4de69bc7098a4289ef93847325c7f45c25fe57378175a620596f40334f149753587e928aeee6d3744e

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  0b0672ff80314b37f302b84e4e7d571c

                                                                  SHA1

                                                                  02d24a626cdbdd7199d065ba582de3c5c71e92bf

                                                                  SHA256

                                                                  fc63987a757ae39aa36e161dae753ecf0328c151ee1e5084896b3a61a8be056e

                                                                  SHA512

                                                                  d10a9e616cd51efa71d1596dcc52bd71dfb0ea5b5c9ea4cd3e6c6e8c33b2169d6d2283d437caec6b358997d1018e666a28a684af297179ba5f00d22df757003d

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
                                                                  Filesize

                                                                  885B

                                                                  MD5

                                                                  abcd7b0f474e1a631025e86d3ef88a73

                                                                  SHA1

                                                                  e5b6e45106b58a5e7e879ec5bf41cba436cd059d

                                                                  SHA256

                                                                  9d15d266ce66ea2657dd40dae6f17215efaed95b54d524cae0267a70f8d916f4

                                                                  SHA512

                                                                  6ce7e71086414049dd303ea1d3b4b271ca5e708e6fcf07e4984e07b084333bbb4e2f32a3a19680f02d3e2d23c78c232ec9223018ff072d93fb308c80f084cd09

                                                                  Download Submit
                                                                • memory/776-169-0x0000000074780000-0x0000000074F30000-memory.dmp
                                                                  Filesize

                                                                  7.7MB

                                                                  Download
                                                                • memory/776-163-0x00000000051C0000-0x00000000051D0000-memory.dmp
                                                                  Filesize

                                                                  64KB

                                                                  Download
                                                                • memory/776-162-0x0000000074780000-0x0000000074F30000-memory.dmp
                                                                  Filesize

                                                                  7.7MB

                                                                  Download
                                                                • memory/1304-180-0x0000000074780000-0x0000000074F30000-memory.dmp
                                                                  Filesize

                                                                  7.7MB

                                                                  Download
                                                                • memory/1304-174-0x0000000004AF0000-0x0000000004B00000-memory.dmp
                                                                  Filesize

                                                                  64KB

                                                                  Download
                                                                • memory/1304-173-0x0000000074780000-0x0000000074F30000-memory.dmp
                                                                  Filesize

                                                                  7.7MB

                                                                  Download
                                                                • memory/1992-182-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/1992-181-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/2160-144-0x0000000002F00000-0x0000000002F10000-memory.dmp
                                                                  Filesize

                                                                  64KB

                                                                  Download
                                                                • memory/2160-148-0x0000000006350000-0x00000000063EC000-memory.dmp
                                                                  Filesize

                                                                  624KB

                                                                  Download
                                                                • memory/2160-143-0x0000000000AF0000-0x0000000000B46000-memory.dmp
                                                                  Filesize

                                                                  344KB

                                                                  Download
                                                                • memory/2160-149-0x0000000005C80000-0x0000000005CA8000-memory.dmp
                                                                  Filesize

                                                                  160KB

                                                                  Download
                                                                • memory/2160-146-0x00000000058F0000-0x0000000005982000-memory.dmp
                                                                  Filesize

                                                                  584KB

                                                                  Download
                                                                • memory/2160-147-0x00000000058C0000-0x00000000058C8000-memory.dmp
                                                                  Filesize

                                                                  32KB

                                                                  Download
                                                                • memory/2160-160-0x0000000074F00000-0x00000000756B0000-memory.dmp
                                                                  Filesize

                                                                  7.7MB

                                                                  Download
                                                                • memory/2160-142-0x0000000074F00000-0x00000000756B0000-memory.dmp
                                                                  Filesize

                                                                  7.7MB

                                                                  Download
                                                                • memory/2160-145-0x0000000005D00000-0x00000000062A4000-memory.dmp
                                                                  Filesize

                                                                  5.6MB

                                                                  Download
                                                                • memory/2800-192-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-185-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-194-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-183-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-195-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-190-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-193-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-184-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-189-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2800-191-0x00000175714B0000-0x00000175714B1000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/5612-172-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/5612-171-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/6088-159-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/6088-170-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/6088-158-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download
                                                                • memory/6088-155-0x0000000000400000-0x0000000000553000-memory.dmp
                                                                  Filesize

                                                                  1.3MB

                                                                  Download