Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
569s -
max time network
485s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/01/2025, 23:52
Behavioral task
behavioral1
Sample
WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
WARZONE RAT 3.03/WARZONE RAT 3.03 Cracked.exe
Resource
win11-20241007-en
General
-
Target
WARZONE RAT 3.03/WARZONE RAT 3.03 Cracked.exe
-
Size
7.5MB
-
MD5
03977a4fc47100f00650d65b1088f391
-
SHA1
2517557e6bdb3e2268143f4690a4cc44426ac481
-
SHA256
2325745d8b078385be3a995640b2cee98e85c8ac1c111fde5fcb1c257d9efe7d
-
SHA512
2ad09d2e14ea3f83a950b76444b49d49b53a5735f1256f6c59f97bf380bd89e59f97f157ba7a75416e154e9142e33a609eb10c4c5f59963487d4d2ec6adb4a3c
-
SSDEEP
196608:fWjyOLFVG2tUpi7tPRopU2Pa3uAdvCgoYEttoTBoWY/:fR6FVJUpi7tJoDAdvbEttoev/
Malware Config
Extracted
warzonerat
127.0.0.1:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WARZONE RAT 3.03 Cracked.exe -
Warzone RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0006000000000693-247.dat warzonerat -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WARZONE RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WARZONE RAT 3.03 Cracked.exe -
Executes dropped EXE 1 IoCs
pid Process 4912 nw.exe -
resource yara_rule behavioral2/memory/2932-0-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral2/memory/2932-3-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral2/memory/2932-2-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral2/memory/2932-4-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral2/memory/2932-5-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral2/memory/2932-22-0x0000000000400000-0x0000000001411000-memory.dmp themida -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WARZONE RAT 3.03 Cracked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2932 WARZONE RAT 3.03 Cracked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WARZONE RAT 3.03 Cracked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nw.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 56 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" WARZONE RAT 3.03 Cracked.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU WARZONE RAT 3.03 Cracked.exe Key created \Registry\User\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\NotificationData WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg WARZONE RAT 3.03 Cracked.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" WARZONE RAT 3.03 Cracked.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" WARZONE RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 WARZONE RAT 3.03 Cracked.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff WARZONE RAT 3.03 Cracked.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" WARZONE RAT 3.03 Cracked.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000008b11c756af18db01a8987baeb318db01a8987baeb318db0114000000 WARZONE RAT 3.03 Cracked.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2964 msedge.exe 2964 msedge.exe 4484 msedge.exe 4484 msedge.exe 1340 identity_helper.exe 1340 identity_helper.exe 2024 msedge.exe 2024 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2932 WARZONE RAT 3.03 Cracked.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2456 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2456 AUDIODG.EXE Token: SeShutdownPrivilege 4912 nw.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2932 WARZONE RAT 3.03 Cracked.exe 4912 nw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 4484 2932 WARZONE RAT 3.03 Cracked.exe 84 PID 2932 wrote to memory of 4484 2932 WARZONE RAT 3.03 Cracked.exe 84 PID 4484 wrote to memory of 3208 4484 msedge.exe 85 PID 4484 wrote to memory of 3208 4484 msedge.exe 85 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 752 4484 msedge.exe 86 PID 4484 wrote to memory of 2964 4484 msedge.exe 87 PID 4484 wrote to memory of 2964 4484 msedge.exe 87 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88 PID 4484 wrote to memory of 2732 4484 msedge.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://warzone.ws/customer/index.php?rp=/knowledgebase2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff96bc3cb8,0x7fff96bc3cc8,0x7fff96bc3cd83⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:23⤵PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:83⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:13⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:13⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:13⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:13⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:13⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:13⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:13⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:13⤵PID:4232
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1540
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2696
-
C:\Users\Admin\Desktop\nw.exe"C:\Users\Admin\Desktop\nw.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4912
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
5KB
MD5564c64b1a75749db42fb4538f470954c
SHA1785965c44a71225c6539bb7900a2cf8fca843897
SHA25680bfbe691bf240b57a34619ac85412136021433bf34e690e071758c3ec066a69
SHA512ad942e084246bf8564609b4e4d016c111c05e6ad1a26754997af1defd344c1213af23d2a3a24e208c8b56fa6f53911355439960c92b6acd54fe050784e1c0934
-
Filesize
5KB
MD56c66ff6cdd156e9a9f3724ede788badd
SHA1c2ac9e32646095fa35c1b0cbaa683b9fb0c137e9
SHA256098400cadf197283922a3e30043d4ba4323793a023863c2bfbd1f862213b0e3e
SHA51244e673b8f678a2e7a5fe2c544d5fd9f865d68f91577583fc1cd0767e7f0c488e518f2d2d3db166ae0ed3c504919a482a260ca90e213df65d2322cf86dbc8a1f5
-
Filesize
5KB
MD5a03b30022c5983aa577695e6d5e7942e
SHA1497ecd06fb4e38744bf6c66d9bfa4425c3b18498
SHA256b7baf615a58f854409f0cd077ff3ee6df7bd61d2fc2f15726c91f03120c7291c
SHA5121460a0292c42db39f6645ec5c3a4d5cdc463b6dac4dd247d3cf8623f165e44545a88143207b625737c084cdc79ba8743fb21abbb95f90271a70531ac2ab435a6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53af2b830034fb2b2ec1333f9b9cb3619
SHA1ad12bac3e748f036e456d2f1e2f4b2c4696ac1ae
SHA25626335ae2d115092771ac5702f54c8857847d0eb7e2d2587f9abd94a7b5c066e3
SHA51255eeb0d7de2bd9291f27da803ece8a07ef3f5ac0066dc5184939127b9157ee6042a9556e126d773eccc577f77d706e9b7a9b821dacda124a3b91fc2888265270
-
Filesize
10KB
MD5f6a6c6876867555e83a97303293e4131
SHA178faaf598718cbf5e3207955a240d91506e2f8f6
SHA256d86c8acef996b6e07ff291e5912c98e877669a87cdc45ecce9acbb9b052ff08e
SHA5121cc213d09ddb17aac5fe0ae0ce560d770680e1f6090416b35aaa4162bfaa79da372e8cd85e074b05e53c450e98fd8057e651ab33bf7a903626e8e4b07d513419
-
Filesize
264KB
MD5e51b84e6a6ee8596711a443dda503231
SHA14d4bf48b6fde32d659d053c5235064d1de831443
SHA2560ecd6b9ead98ad92fe01ddc5861c9fb0d7bb4fa3d592656e8c73442056cee1a2
SHA512542d582d4fe8c50859728f0d9254cd15248f0410de4630ea5ce27ddaa7f7a90b4be1b11ad255decabb7f72b481b97a88aabc6806fa9f1f2bdc7e3dda22d3d77d
-
Filesize
132KB
MD5ca86a4d23a64433903b220ce55ca107f
SHA182be3b2ae402688f79bb06c16e1216836f966409
SHA25659343067bb73616915ed1f4032445bda532972d665065fab90e905bcf50a3877
SHA5123aabb6f4392a208b60e9e86874c44287e3fcdcead68292824fcce42e083e2abdd6edbf9d1ef2157cd2630ab1f0496bba23a540c3f6289288ebe3ed34d82e671a