Malware Analysis Report

2024-10-24 16:46

Sample ID 240417-q5jefaad97
Target 49c21f3186b335344bdcf60a381000d795da7aaa94a0b65d522899703bd7c149
SHA256 49c21f3186b335344bdcf60a381000d795da7aaa94a0b65d522899703bd7c149
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49c21f3186b335344bdcf60a381000d795da7aaa94a0b65d522899703bd7c149

Threat Level: Known bad

The file 49c21f3186b335344bdcf60a381000d795da7aaa94a0b65d522899703bd7c149 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs regedit.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 13:50

Reported

2024-04-17 13:53

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2560 set thread context of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\System32\cmd.exe
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\System32\cmd.exe
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\System32\cmd.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2224 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2224 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2224 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2224 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2224 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2224 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2560 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe

"C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEDF.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 200

Network

N/A

Files

memory/1640-0-0x0000000000C50000-0x0000000000C6C000-memory.dmp

memory/1640-1-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-2-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/1640-3-0x000000001B0D0000-0x000000001B14A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEDF.tmp.bat

MD5 b6ed3657bb0bb72e22b45244d24b7847
SHA1 3bd8b07bd9016fcf28b90af5b5d82cf219bdb6f9
SHA256 755c1f0d37cf6d499c0a75d1033f6df75236fcc9dc3dc2901fc87de40210219a
SHA512 255c77d2c0274e8c690c2d75144b3de800e3c12404b1fb815675ee57973ca6a315a3130e5d2449145f30bd8c9dd0d1ef5d945daf154e0f1920387a7ca5905c57

memory/1640-13-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 a9862010588f43a61bd317483b93947b
SHA1 31987c99822c71a38cebc13d8d3261833313a77c
SHA256 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
SHA512 1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1

memory/2560-18-0x00000000000E0000-0x00000000000FC000-memory.dmp

memory/2560-19-0x000007FEF4BE0000-0x000007FEF55CC000-memory.dmp

memory/2560-20-0x000000001B0A0000-0x000000001B120000-memory.dmp

memory/2588-21-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2588-23-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2588-25-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2588-27-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2588-29-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2588-24-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2588-22-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2656-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-72-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2560-74-0x000007FEF4BE0000-0x000007FEF55CC000-memory.dmp

memory/2656-75-0x0000000000400000-0x000000000055A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 13:50

Reported

2024-04-17 13:54

Platform

win10v2004-20240412-en

Max time kernel

185s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3988 set thread context of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\System32\cmd.exe
PID 3192 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\System32\cmd.exe
PID 3192 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe C:\Windows\system32\cmd.exe
PID 220 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 220 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 452 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 452 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 220 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\regedit.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3988 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe

"C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC24.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 51.77.167.59:5951 tcp

Files

memory/3192-0-0x000001C60C5A0000-0x000001C60C5BC000-memory.dmp

memory/3192-1-0x00007FFDD1B90000-0x00007FFDD2651000-memory.dmp

memory/3192-2-0x000001C626D60000-0x000001C626D70000-memory.dmp

memory/3192-3-0x000001C626B00000-0x000001C626B7A000-memory.dmp

memory/3192-6-0x00007FFDD1B90000-0x00007FFDD2651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAC24.tmp.bat

MD5 cdd08673f901d5eb3f63751713050d61
SHA1 12e73f07d10bee3cc3d5f8f0284216430b5f9eb0
SHA256 2929344e53b2ad12d5b3c1f69b1f1b1fa3fc6242f82d066d786c8d438a184ac6
SHA512 ef2ef35c59fbc416e1b599eae10192a88f7082c22860e130a5122ecbe6505f6fe7af42056a1e8c957b4c7752b15915efb9efef94342734ff8cb1486e490007aa

memory/3192-10-0x00007FFDD1B90000-0x00007FFDD2651000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 a9862010588f43a61bd317483b93947b
SHA1 31987c99822c71a38cebc13d8d3261833313a77c
SHA256 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
SHA512 1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1

memory/3988-14-0x00007FFDD19E0000-0x00007FFDD24A1000-memory.dmp

memory/3988-15-0x00007FFDD19E0000-0x00007FFDD24A1000-memory.dmp

memory/1280-16-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1280-18-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1280-19-0x0000000000400000-0x000000000055A000-memory.dmp