warzonerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/RAT/WarzoneRAT[.]exe

Analysis

max time kernel
62s
max time network
62s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29/12/2024, 07:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/RAT/WarzoneRAT.exe

Score

10^/10

warzonerat discovery infostealer rat rezer0

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/4260-210-0x0000000006700000-0x0000000006728000-memory.dmp	rezer0

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2400-222-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2400-224-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe

Executes dropped EXE 5 IoCs

pid	Process
4260	WarzoneRAT.exe
5628	WarzoneRAT.exe
5860	WarzoneRAT.exe
5604	WarzoneRAT.exe
1732	WarzoneRAT.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 2400	4260	WarzoneRAT.exe	115
PID 5628 set thread context of 5764	5628	WarzoneRAT.exe	126
PID 5860 set thread context of 6000	5860	WarzoneRAT.exe	131
PID 5604 set thread context of 5628	5604	WarzoneRAT.exe	141
PID 1732 set thread context of 5928	1732	WarzoneRAT.exe	147

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241229074742.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e48dd12d-16c6-47c3-bfff-0378a6469e0f.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5936	schtasks.exe
5716	schtasks.exe
5992	schtasks.exe
2020	schtasks.exe
5708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
1244	msedge.exe
1244	msedge.exe
1064	identity_helper.exe
1064	identity_helper.exe
2580	msedge.exe
2580	msedge.exe
4260	WarzoneRAT.exe
4260	WarzoneRAT.exe
4260	WarzoneRAT.exe
4260	WarzoneRAT.exe
4260	WarzoneRAT.exe
4260	WarzoneRAT.exe
5628	WarzoneRAT.exe
5628	WarzoneRAT.exe
5628	WarzoneRAT.exe
5628	WarzoneRAT.exe
5860	WarzoneRAT.exe
5860	WarzoneRAT.exe
5860	WarzoneRAT.exe
5860	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
5604	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe
1732	WarzoneRAT.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	WarzoneRAT.exe
Token: SeDebugPrivilege	5628	WarzoneRAT.exe
Token: SeDebugPrivilege	5860	WarzoneRAT.exe
Token: SeDebugPrivilege	5604	WarzoneRAT.exe
Token: SeDebugPrivilege	1732	WarzoneRAT.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1384	1244	msedge.exe	81
PID 1244 wrote to memory of 1384	1244	msedge.exe	81
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2380	1244	msedge.exe	82
PID 1244 wrote to memory of 2376	1244	msedge.exe	83
PID 1244 wrote to memory of 2376	1244	msedge.exe	83
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84
PID 1244 wrote to memory of 4172	1244	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/RAT/WarzoneRAT.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffeef1446f8,0x7ffeef144708,0x7ffeef144718
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d8375460,0x7ff6d8375470,0x7ff6d8375480
    3⤵
    PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1532
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17244417529987646736,4608296629863906843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:5504
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDADF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5764
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECA2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3524

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5604
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5628

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2EEB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

Filesize
507B

MD5
99bc7c92ff1f6642977ff3c7465fab28

SHA1
1eff41803e0e41dc0875a487c0518b1b57d06361

SHA256
786039babd4fa235b09901db1874338548d823ddd8fb4e801f84b880eb2bb49a

SHA512
8edb36c9a1045f34a72b4b376b63324d3df7d61008a63bd84b8e764bedff9b460fb0b260ca9ffbe5a79a3a8468e52f419adef3ea197fa89f8268d0d93457dda4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
913cd25b0de81960e841c81a7bee8b19

SHA1
2c4bf2a4de37c06bea3e39898c9a98ee611b5455

SHA256
b01953744098bc035aee2a21976607df9352ca42abc3e01d769e2ceee1c9bd5f

SHA512
e5a879cdd1f83d6b6ee13117924522c967e2413c29722b5507b632514e28a0defbbcc942e7176f819e05df7bef37ca5133ba5efeb67a91c34b3736eec05ac8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de0e1d3019517b3b005d7731bbb8a355

SHA1
ddf1f15c241f72585595cd30de12c4c3ce4e2f97

SHA256
4ceef5b8daa774c456edd70e46668746b8fa086bb9515ed5975e6737e40dc3f0

SHA512
84f7a069fd6f0713fdb9d35f17839b8755671047be477e49102f5777e8ebeeaa6421d3816727dd37f1241f4653c063fb0823ae7bab1d3001635c5075c2ba464d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9d3f8824-c47c-4fc6-9899-abaf7ac4669c.tmp

Filesize
5KB

MD5
a9b0e396860c72c3898a1bad9509963b

SHA1
8d562852df419acd4f59d54b21fb2533e0b80127

SHA256
34f2c4c5160283f4457505bb279ac679c90acfe1ddead685deeff3d5c70ea20b

SHA512
9adff92d56a9cb40ce07268c90be6ea5b803e95ad47e02207de01fa042f56ed9f6089e09755bc78aeaa1e15aefcef4ae9ea403119bc59140609bac09e7d18245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4bd59856763d49779eefd46a14332266

SHA1
3c2a17108cd38ffde6251a6081ffded0b0587a03

SHA256
27b0ee1f054a50f64327df5ec9955e7f49eda2f939fdf4ee19b95e4bd2f326aa

SHA512
c974f2bf7edf716f34019f82ce7c6aed9941f3b0e20619b76496eb41750b17997034976dda17f966c5ed162a7d22d36f7d49244293bdf0dc2cff5aa1fc0f1c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6fd2f4f3342079096139576a69dbab4b

SHA1
95654c7454cba861ac12cf8700cc6c83ac4d2641

SHA256
d4384df85a2225900a05c14e2cd041286b9683614f0f6197f37585afdd3c9ff5

SHA512
d106beec0ef5501c004496282c860ef42ac892e503d2a3d92cc91f8ca3dfe484ddb4c2b498f3c20967bc9558257f889ea4be16c9a9b23b3c8aa1312337e73ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
668245fa79ef508a9989b7603c1f2104

SHA1
873a2a71cb87725ebbbf8b8a916fbbba72685954

SHA256
7cf98f7c2c75ba616248955e270de41583b80c49b2aea860d0c659603e763e84

SHA512
24125d5eb2d2bf5a6f7228c82af7b328d17e17b0799097b4519f68ff16f72e15f4d00007d09a1f279b6fdd84096dd3881dde9424897c06b28a45940a07e45ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cc420cc45f686797b102b94f6bfda2ee

SHA1
2b0b5d4848cc346c341cbd51d5fc6ce8a08910e7

SHA256
23f845e57c6718a65f93b97ac9c425d7abaad84f75e77e662c4df298305b9a19

SHA512
2410ec9ef56e8ad547219c4ffde2d02ab4fe8ea668c51f6519e224805770375427a4db95eab5e5f062ebdf36323c5bf03d1633508776fa553da2e8c408846092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
832b664db8c95c83ff39b95fac93bb5b

SHA1
9d244b3081440efd5dcb15c341b2e790e5af359c

SHA256
d1d1d00928970105a43609aa8e2516b41e9473ac285cb591fecaf74b69213487

SHA512
0d46d177ca250277b341f04e3e4565b048069a14993bd1d89d38d03ac8cc4b499dcb2c181bd86f12f903054923a3bb47787d229ee975d900dfd6297db22c246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ec463b423555c198a2e55cbc9f8166c

SHA1
67a95569d8243054dfd8f2abfd5ecd175cf483c7

SHA256
fed820f1544b5aecfd174da9dd066cc3af53d43afb36939776248d4e07a018c5

SHA512
1a0d05f171a488f50417654459b96be59536b47afea70f51e0c0555b0d77c73e947db6b54165911c8ce0571347b52a533ef8b6c9c5e26123c4e4686e176652f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
afea951633d8b15f89a3075296bde563

SHA1
a40f910650d637d0e59822596b8f4531fcae317c

SHA256
2ef29efd839860c4c5fecf35aaa5c28b790d4a2297c95bd41986a0fadfbd36c4

SHA512
2166b78ef9cb7aea51a3cc5d6bca0371a52bdf3720136c8b69f97b4fe45fbe6b004efeab4877d4a8643421800394c5841782ba8055e4bbfbba4f19f13e48cd7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
473461968b59357c967d33b42c8bf323

SHA1
a0e13d6edabd007e1617240211b4a96d95454356

SHA256
69db64331b0d5a283821207e173972a637ccaf354b4a0a666f37a095edbc7a09

SHA512
0a434894d0a770dd5d2390d5306cf0f5d3d01c8138f90220962ba8ae98e770e251bd4171a66970923382b8893ebc357fde58c24efd94e499e13108c780a2c46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmp

Filesize
1KB

MD5
dc4a3f7b1dd93aa2f6215630df6cbfb5

SHA1
602bab1f44a34bb0ad1dab2d6e4161c94bd02f85

SHA256
4183cceac7aa1f6830017883d321ee14036bf5fb8a55817f484d95cddc154862

SHA512
1924cc162fdf11089ddafea53dfe330ad53d62868c44764fcdd0423f20d09cd6fc526076a4a2e6cea1eeaa17f518d461f3f72573cadfea532508a87e7ba54018

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b044ece16dc26380b8db6f74dd909fa9

SHA1
cded180104c1a58cb0e9191bc5326eb2d32a7ddc

SHA256
8cbd07936ea9ab5247a1ff6fc01fc770dcddb4d615678ef878bfab9f36c0be9f

SHA512
1f1faa634d110d5a4b70ba5e81c13dc1e6c4a373ad7eba77ae9409d79fc9a98ecb50aecb9188a5bc1c2017e109c83286120f9b354bafbac8ff886be7bed214a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c5b493d94197ba57e55dc04a25408259

SHA1
022cd2702a45230efb3f84bff1479136d391b688

SHA256
aa6f0c1221edef79c2a2ab789b62ffe3d121f98e4ddd9016c50cd0d5c790d73a

SHA512
842007cdf0603582af29d5578bb962e28438d9d1f713aeacffb99c1cf2e0829a06625281408a6a4a02c8fd902cd8f083dad2341cfa86e753b41c314056042c4e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 52678.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
memory/2400-222-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2400-224-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4260-199-0x0000000005B50000-0x0000000005B58000-memory.dmp

Filesize
32KB

Download
memory/4260-209-0x00000000067A0000-0x000000000683C000-memory.dmp

Filesize
624KB

Download
memory/4260-210-0x0000000006700000-0x0000000006728000-memory.dmp

Filesize
160KB

Download
memory/4260-198-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/4260-197-0x0000000006050000-0x00000000065F6000-memory.dmp

Filesize
5.6MB

Download
memory/4260-194-0x0000000000D90000-0x0000000000DE6000-memory.dmp

Filesize
344KB

Download