warzonerat | 3acce18fa1327b1e89c47997fe1da62a86a1211d893f5128b4c59fa44d57b335

Analysis

max time kernel
569s
max time network
485s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27/01/2025, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WARZONE RAT 3.03/WARZONE RAT 3.03 Cracked.exe
Size

7.5MB
MD5

03977a4fc47100f00650d65b1088f391
SHA1

2517557e6bdb3e2268143f4690a4cc44426ac481
SHA256

2325745d8b078385be3a995640b2cee98e85c8ac1c111fde5fcb1c257d9efe7d
SHA512

2ad09d2e14ea3f83a950b76444b49d49b53a5735f1256f6c59f97bf380bd89e59f97f157ba7a75416e154e9142e33a609eb10c4c5f59963487d4d2ec6adb4a3c
SSDEEP

196608:fWjyOLFVG2tUpi7tPRopU2Pa3uAdvCgoYEttoTBoWY/:fR6FVJUpi7tJoDAdvbEttoev/

Score

10^/10

warzonerat defense_evasion discovery infostealer rat themida trojan

Malware Config

Extracted

Family

warzonerat

127.0.0.1:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WARZONE RAT 3.03 Cracked.exe

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000000693-247.dat	warzonerat

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WARZONE RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WARZONE RAT 3.03 Cracked.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	nw.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2932-0-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral2/memory/2932-3-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral2/memory/2932-2-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral2/memory/2932-4-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral2/memory/2932-5-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral2/memory/2932-22-0x0000000000400000-0x0000000001411000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WARZONE RAT 3.03 Cracked.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2932	WARZONE RAT 3.03 Cracked.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WARZONE RAT 3.03 Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	WARZONE RAT 3.03 Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WARZONE RAT 3.03 Cracked.exe
Key created	\Registry\User\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\NotificationData	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	WARZONE RAT 3.03 Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	WARZONE RAT 3.03 Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	WARZONE RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	WARZONE RAT 3.03 Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	WARZONE RAT 3.03 Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	WARZONE RAT 3.03 Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000008b11c756af18db01a8987baeb318db01a8987baeb318db0114000000	WARZONE RAT 3.03 Cracked.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe
4484	msedge.exe
4484	msedge.exe
1340	identity_helper.exe
1340	identity_helper.exe
2024	msedge.exe
2024	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	WARZONE RAT 3.03 Cracked.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2456	AUDIODG.EXE
Token: SeShutdownPrivilege	4912	nw.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2932	WARZONE RAT 3.03 Cracked.exe
4912	nw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4484	2932	WARZONE RAT 3.03 Cracked.exe	84
PID 2932 wrote to memory of 4484	2932	WARZONE RAT 3.03 Cracked.exe	84
PID 4484 wrote to memory of 3208	4484	msedge.exe	85
PID 4484 wrote to memory of 3208	4484	msedge.exe	85
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 752	4484	msedge.exe	86
PID 4484 wrote to memory of 2964	4484	msedge.exe	87
PID 4484 wrote to memory of 2964	4484	msedge.exe	87
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88
PID 4484 wrote to memory of 2732	4484	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://warzone.ws/customer/index.php?rp=/knowledgebase
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff96bc3cb8,0x7fff96bc3cc8,0x7fff96bc3cd8
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
    3⤵
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:3964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
    3⤵
    PID:2300
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
    3⤵
    PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2696

C:\Users\Admin\Desktop\nw.exe
"C:\Users\Admin\Desktop\nw.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
564c64b1a75749db42fb4538f470954c

SHA1
785965c44a71225c6539bb7900a2cf8fca843897

SHA256
80bfbe691bf240b57a34619ac85412136021433bf34e690e071758c3ec066a69

SHA512
ad942e084246bf8564609b4e4d016c111c05e6ad1a26754997af1defd344c1213af23d2a3a24e208c8b56fa6f53911355439960c92b6acd54fe050784e1c0934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6c66ff6cdd156e9a9f3724ede788badd

SHA1
c2ac9e32646095fa35c1b0cbaa683b9fb0c137e9

SHA256
098400cadf197283922a3e30043d4ba4323793a023863c2bfbd1f862213b0e3e

SHA512
44e673b8f678a2e7a5fe2c544d5fd9f865d68f91577583fc1cd0767e7f0c488e518f2d2d3db166ae0ed3c504919a482a260ca90e213df65d2322cf86dbc8a1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a03b30022c5983aa577695e6d5e7942e

SHA1
497ecd06fb4e38744bf6c66d9bfa4425c3b18498

SHA256
b7baf615a58f854409f0cd077ff3ee6df7bd61d2fc2f15726c91f03120c7291c

SHA512
1460a0292c42db39f6645ec5c3a4d5cdc463b6dac4dd247d3cf8623f165e44545a88143207b625737c084cdc79ba8743fb21abbb95f90271a70531ac2ab435a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3af2b830034fb2b2ec1333f9b9cb3619

SHA1
ad12bac3e748f036e456d2f1e2f4b2c4696ac1ae

SHA256
26335ae2d115092771ac5702f54c8857847d0eb7e2d2587f9abd94a7b5c066e3

SHA512
55eeb0d7de2bd9291f27da803ece8a07ef3f5ac0066dc5184939127b9157ee6042a9556e126d773eccc577f77d706e9b7a9b821dacda124a3b91fc2888265270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f6a6c6876867555e83a97303293e4131

SHA1
78faaf598718cbf5e3207955a240d91506e2f8f6

SHA256
d86c8acef996b6e07ff291e5912c98e877669a87cdc45ecce9acbb9b052ff08e

SHA512
1cc213d09ddb17aac5fe0ae0ce560d770680e1f6090416b35aaa4162bfaa79da372e8cd85e074b05e53c450e98fd8057e651ab33bf7a903626e8e4b07d513419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e51b84e6a6ee8596711a443dda503231

SHA1
4d4bf48b6fde32d659d053c5235064d1de831443

SHA256
0ecd6b9ead98ad92fe01ddc5861c9fb0d7bb4fa3d592656e8c73442056cee1a2

SHA512
542d582d4fe8c50859728f0d9254cd15248f0410de4630ea5ce27ddaa7f7a90b4be1b11ad255decabb7f72b481b97a88aabc6806fa9f1f2bdc7e3dda22d3d77d

Download Submit
C:\Users\Admin\Desktop\nw.exe

Filesize
132KB

MD5
ca86a4d23a64433903b220ce55ca107f

SHA1
82be3b2ae402688f79bb06c16e1216836f966409

SHA256
59343067bb73616915ed1f4032445bda532972d665065fab90e905bcf50a3877

SHA512
3aabb6f4392a208b60e9e86874c44287e3fcdcead68292824fcce42e083e2abdd6edbf9d1ef2157cd2630ab1f0496bba23a540c3f6289288ebe3ed34d82e671a

Download Submit
memory/2932-13-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-15-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-18-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-19-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-20-0x0000000007B90000-0x0000000007BF6000-memory.dmp

Filesize
408KB

Download
memory/2932-21-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

Filesize
40KB

Download
memory/2932-22-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/2932-23-0x000000007387E000-0x000000007387F000-memory.dmp

Filesize
4KB

Download
memory/2932-24-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-28-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-30-0x0000000073870000-0x0000000074021000-memory.dmp

Filesize
7.7MB

Download
memory/2932-17-0x0000000007AD0000-0x0000000007B62000-memory.dmp

Filesize
584KB

Download
memory/2932-16-0x00000000073E0000-0x0000000007986000-memory.dmp

Filesize
5.6MB

Download
memory/2932-14-0x0000000005DE0000-0x0000000005EDE000-memory.dmp

Filesize
1016KB

Download
memory/2932-0-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/2932-12-0x0000000006920000-0x00000000072E0000-memory.dmp

Filesize
9.8MB

Download
memory/2932-11-0x000000007387E000-0x000000007387F000-memory.dmp

Filesize
4KB

Download
memory/2932-5-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/2932-4-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/2932-2-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/2932-3-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/2932-1-0x00000000771F6000-0x00000000771F8000-memory.dmp

Filesize
8KB

Download