Malware Analysis Report

2024-10-24 16:46

Sample ID 240417-r88deada37
Target e6648b42ce02b3ae9da6a901943a2e5bd3d96c8efd79561a3b3a6e1a33cf8fbe
SHA256 e6648b42ce02b3ae9da6a901943a2e5bd3d96c8efd79561a3b3a6e1a33cf8fbe
Tags
warzonerat infostealer rat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6648b42ce02b3ae9da6a901943a2e5bd3d96c8efd79561a3b3a6e1a33cf8fbe

Threat Level: Known bad

The file e6648b42ce02b3ae9da6a901943a2e5bd3d96c8efd79561a3b3a6e1a33cf8fbe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat persistence

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

NTFS ADS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 14:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 14:52

Reported

2024-04-17 14:57

Platform

win7-20240319-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 1728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB53.tmp"

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 200

Network

N/A

Files

memory/1728-0-0x0000000000280000-0x000000000030C000-memory.dmp

memory/1728-1-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1728-2-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/1728-3-0x0000000000320000-0x0000000000334000-memory.dmp

memory/1728-4-0x0000000000670000-0x000000000067A000-memory.dmp

memory/1728-5-0x0000000000680000-0x000000000068E000-memory.dmp

memory/1728-6-0x0000000004E20000-0x0000000004E82000-memory.dmp

memory/1728-7-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1728-8-0x0000000004C50000-0x0000000004C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBB53.tmp

MD5 ef31e547be4c7a93afe58c95d409be25
SHA1 9322c14e312f53bc797734f009fa9f981482040e
SHA256 525a2b0e428eb4be4275182dbc56b90bab9826ace66cf52bebbcdd3a56f7a3b7
SHA512 c9f696832ec29df9785fd6366fb0379cc268a362bbe62611ff44fd610fde3c2c96b3225c31ef07b92cf4e2a28177354f15bd529ad928f519c314e59eefc6033c

memory/2972-14-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-15-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-16-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-17-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-18-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-20-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-22-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2972-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2972-26-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1728-28-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2972-31-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2692-32-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/2692-33-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/2692-34-0x00000000023F0000-0x0000000002430000-memory.dmp

memory/2692-35-0x00000000023F0000-0x0000000002430000-memory.dmp

memory/2692-36-0x0000000073FF0000-0x000000007459B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 14:52

Reported

2024-04-17 14:57

Platform

win10v2004-20240412-en

Max time kernel

129s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\Bins.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Bins.exe N/A
N/A N/A C:\Users\Admin\Documents\Bins.exe N/A
N/A N/A C:\Users\Admin\Documents\Bins.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\Bins.exe" C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Bins.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4788 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4788 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4788 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4788 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4788 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 4788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
PID 2040 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\Documents\Bins.exe
PID 2040 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\Documents\Bins.exe
PID 2040 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 1252 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 1252 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 1252 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 2740 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2740 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2740 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2476 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 2476 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 2476 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3660 wrote to memory of 3788 N/A C:\Users\Admin\Documents\Bins.exe C:\Users\Admin\Documents\Bins.exe
PID 3788 wrote to memory of 3448 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3788 wrote to memory of 3448 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3788 wrote to memory of 3448 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3788 wrote to memory of 3552 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 3552 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 3552 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 3552 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 3552 N/A C:\Users\Admin\Documents\Bins.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E58.tmp"

C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

"C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Users\Admin\Documents\Bins.exe

"C:\Users\Admin\Documents\Bins.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD02.tmp"

C:\Users\Admin\Documents\Bins.exe

"C:\Users\Admin\Documents\Bins.exe"

C:\Users\Admin\Documents\Bins.exe

"C:\Users\Admin\Documents\Bins.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 248.81.21.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 74.50.93.170:4040 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 74.50.93.170:4040 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 74.50.93.170:4040 tcp
US 74.50.93.170:4040 tcp

Files

memory/4788-1-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/4788-0-0x0000000000010000-0x000000000009C000-memory.dmp

memory/4788-2-0x0000000005230000-0x00000000057D4000-memory.dmp

memory/4788-3-0x0000000004AD0000-0x0000000004B62000-memory.dmp

memory/4788-4-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/4788-5-0x0000000002640000-0x000000000264A000-memory.dmp

memory/4788-6-0x0000000004D50000-0x0000000004D64000-memory.dmp

memory/4788-7-0x0000000004D90000-0x0000000004D9A000-memory.dmp

memory/4788-8-0x0000000004DA0000-0x0000000004DAE000-memory.dmp

memory/4788-9-0x0000000005CE0000-0x0000000005D42000-memory.dmp

memory/4788-10-0x0000000008400000-0x000000000849C000-memory.dmp

memory/2320-15-0x0000000004C00000-0x0000000004C36000-memory.dmp

memory/4788-16-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/2320-17-0x0000000005270000-0x0000000005898000-memory.dmp

memory/4788-20-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/2320-19-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/2320-18-0x00000000752D0000-0x0000000075A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7E58.tmp

MD5 b997069577c2eee9b8a4830f8fd2c4e1
SHA1 3f8377765c211b227c79d796ff230f156dc9899a
SHA256 a26308edf709ec6dc5a31121a87e97748def8b8434628796c088dfb98a3a03b1
SHA512 a5d3e1db5d5cda9d721aa9f594e30e7123ee07ca722d30be4d9c9f8d8bc031bf8a0a310101b67c579753bcc628d4f66947b0895f98b9daed1301038ddc83e632

memory/2040-22-0x0000000000400000-0x000000000055A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqmtzal1.s1y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2320-23-0x0000000005A10000-0x0000000005A32000-memory.dmp

memory/2320-30-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/2320-32-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/2040-31-0x0000000000400000-0x000000000055A000-memory.dmp

memory/4788-39-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/2320-40-0x0000000005E00000-0x0000000006154000-memory.dmp

memory/2040-38-0x0000000000400000-0x000000000055A000-memory.dmp

memory/2320-41-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/2320-42-0x0000000006350000-0x000000000639C000-memory.dmp

memory/2320-43-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

memory/2320-44-0x0000000007110000-0x0000000007142000-memory.dmp

memory/2320-45-0x0000000075B60000-0x0000000075BAC000-memory.dmp

memory/2320-55-0x0000000006730000-0x000000000674E000-memory.dmp

memory/2320-57-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/2320-56-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/2320-58-0x0000000007AF0000-0x000000000816A000-memory.dmp

memory/2320-59-0x00000000074B0000-0x00000000074CA000-memory.dmp

memory/2320-60-0x0000000007520000-0x000000000752A000-memory.dmp

memory/3476-62-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3476-61-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/2320-64-0x0000000007730000-0x00000000077C6000-memory.dmp

memory/3476-63-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/2320-74-0x00000000076B0000-0x00000000076C1000-memory.dmp

memory/2320-75-0x00000000076E0000-0x00000000076EE000-memory.dmp

memory/2320-76-0x00000000076F0000-0x0000000007704000-memory.dmp

memory/2320-77-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/2320-78-0x00000000077D0000-0x00000000077D8000-memory.dmp

memory/3476-79-0x0000000075B60000-0x0000000075BAC000-memory.dmp

memory/3476-80-0x000000007EED0000-0x000000007EEE0000-memory.dmp

memory/3476-91-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3476-90-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/2320-94-0x00000000752D0000-0x0000000075A80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 809da96a4a1a9a9db5f2482ed49b5b45
SHA1 eaf9fe5bf125ad6edcf8869cb174a01c85cf3646
SHA256 bd5ae39be91171696a393305cf4efa01c196bde496659d2e968a27ed436264e0
SHA512 7d17698d12a5c4a5192002b562a48d4ffcc557137601056e582957881ec6600a80cc0a21a0b7e3f92a02f2cbe9fa58e1d7d31706290bedcc0d876abd805a6057

memory/3476-98-0x00000000752D0000-0x0000000075A80000-memory.dmp

C:\Users\Admin\Documents\Documents:ApplicationData

MD5 56e8402d0a1e55ebf85b38aab8fdcee1
SHA1 0114708fadf2499b4ab2a8b35899ba9516287bc6
SHA256 7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
SHA512 f888b3001768b46cd0dfa497f4dc063475371df14b899d025b230bf21c921ba00207a4a80e4243f05881b662be5b5ecd301f1b30ca62792a6885c370c0de1716

memory/2040-106-0x0000000000400000-0x000000000055A000-memory.dmp

memory/3660-107-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/3660-108-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3660-109-0x0000000005490000-0x00000000054A4000-memory.dmp

memory/3660-111-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/1252-112-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/1252-113-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/1252-114-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/1252-121-0x00000000061A0000-0x00000000064F4000-memory.dmp

memory/3660-132-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/3788-131-0x0000000000400000-0x000000000055A000-memory.dmp

memory/3788-133-0x0000000000400000-0x000000000055A000-memory.dmp

memory/1252-135-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/1252-136-0x000000007F620000-0x000000007F630000-memory.dmp

memory/1252-137-0x00000000729C0000-0x0000000072A0C000-memory.dmp

memory/1252-147-0x0000000007840000-0x00000000078E3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 beb2e57605a8f777d77a4435b1220aad
SHA1 a1bcf62dfc7effec4e5350e9a05ba11c890334eb
SHA256 546875ada6d0275cc46bdf2458b29e290eefe17d8fc134e40a83a1636bc5a575
SHA512 6cccf6f4d2e703169f08dfc7a14eea3472d177a21cb9fee37535e8c3fd67741cabfc97c557924642abe7f13e1dfffa4a26b7bd7db2f8848d1935e070b0eab291

memory/3552-185-0x0000000000750000-0x0000000000751000-memory.dmp