Malware Analysis Report

2025-08-10 22:20

Sample ID 220217-agbfxsgaar
Target 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3
SHA256 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3
Tags
rat netwire warzonerat botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3

Threat Level: Known bad

The file 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3 was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet infostealer stealer

Netwire

WarzoneRat, AveMaria

Netwire family

NetWire RAT payload

Warzone RAT Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

autoit_exe

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-17 00:10

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-17 00:10

Reported

2022-02-17 00:25

Platform

win7-en-20211208

Max time kernel

157s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 536 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 536 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 536 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 536 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 536 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 536 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 536 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 536 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 536 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 1772 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1772 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1772 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1772 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 536 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 108 wrote to memory of 480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 108 wrote to memory of 480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 108 wrote to memory of 480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 108 wrote to memory of 480 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 480 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 480 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 480 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 480 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 480 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 480 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 480 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 480 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 108 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 108 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 108 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 108 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1228 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1228 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1228 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1616 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe

"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe

"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {24120CBF-F49C-476C-89C3-5E991F46C44F} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/536-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/536-61-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/568-63-0x0000000000080000-0x000000000009D000-memory.dmp

memory/568-62-0x0000000000080000-0x000000000009D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/568-77-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1820-79-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/1820-78-0x00000000000B0000-0x00000000000B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 b4699ccdf23a2595c040d7424d78c568
SHA1 26c7ada3170e492fac0f2624c6e78b86dd6f07c0
SHA256 cb08c3ef34c2a82fa2da3508e14cd1ecdb83134fdb76f2b6bfaf83e91006c6b0
SHA512 225e189cd189b9969dac3d34c60022ae11e91168525d9c878e9db6cf8e531a5b049664e9c88c638e67e545256cdd0e016ff5c8e4b78ec73e987fdc69acdb63d7

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 b4699ccdf23a2595c040d7424d78c568
SHA1 26c7ada3170e492fac0f2624c6e78b86dd6f07c0
SHA256 cb08c3ef34c2a82fa2da3508e14cd1ecdb83134fdb76f2b6bfaf83e91006c6b0
SHA512 225e189cd189b9969dac3d34c60022ae11e91168525d9c878e9db6cf8e531a5b049664e9c88c638e67e545256cdd0e016ff5c8e4b78ec73e987fdc69acdb63d7

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/676-92-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 b4699ccdf23a2595c040d7424d78c568
SHA1 26c7ada3170e492fac0f2624c6e78b86dd6f07c0
SHA256 cb08c3ef34c2a82fa2da3508e14cd1ecdb83134fdb76f2b6bfaf83e91006c6b0
SHA512 225e189cd189b9969dac3d34c60022ae11e91168525d9c878e9db6cf8e531a5b049664e9c88c638e67e545256cdd0e016ff5c8e4b78ec73e987fdc69acdb63d7

memory/676-101-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2044-103-0x0000000000130000-0x0000000000131000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 b4699ccdf23a2595c040d7424d78c568
SHA1 26c7ada3170e492fac0f2624c6e78b86dd6f07c0
SHA256 cb08c3ef34c2a82fa2da3508e14cd1ecdb83134fdb76f2b6bfaf83e91006c6b0
SHA512 225e189cd189b9969dac3d34c60022ae11e91168525d9c878e9db6cf8e531a5b049664e9c88c638e67e545256cdd0e016ff5c8e4b78ec73e987fdc69acdb63d7

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 b4699ccdf23a2595c040d7424d78c568
SHA1 26c7ada3170e492fac0f2624c6e78b86dd6f07c0
SHA256 cb08c3ef34c2a82fa2da3508e14cd1ecdb83134fdb76f2b6bfaf83e91006c6b0
SHA512 225e189cd189b9969dac3d34c60022ae11e91168525d9c878e9db6cf8e531a5b049664e9c88c638e67e545256cdd0e016ff5c8e4b78ec73e987fdc69acdb63d7

memory/416-125-0x0000000000200000-0x0000000000201000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-17 00:10

Reported

2022-02-17 00:25

Platform

win10v2004-en-20220113

Max time kernel

170s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 428 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 428 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 428 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 428 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 428 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 428 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 428 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
PID 4900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1944 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1944 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1944 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1944 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1944 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1944 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1944 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1308 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1128 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1128 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1128 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1128 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1128 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1128 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1128 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1272 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1128 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1128 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4404 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4404 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4404 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4404 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4404 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4776 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe

"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe

"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/428-134-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/4900-135-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4900-142-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2796-143-0x00000000009B0000-0x00000000009B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

memory/4252-156-0x00000000016B0000-0x00000000016B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3936-158-0x000001EE67220000-0x000001EE67230000-memory.dmp

memory/3936-159-0x000001EE67280000-0x000001EE67290000-memory.dmp

memory/3936-160-0x000001EE69930000-0x000001EE69934000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

memory/1128-171-0x0000000001510000-0x0000000001511000-memory.dmp

memory/2416-173-0x0000000000710000-0x0000000000711000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20ddf84b46be2eb666e0010e0dbcfbab
SHA1 b5cddb1edd1127680dfab2e4746c0dea562d6374
SHA256 6e57956414d15632725482f6d41c1820842f48c00a7c57f60a55fdbe6e248c52
SHA512 09c83536960196d016aeb1eb8f7fed8d92a60fabdf2140497eacb22f950e9f7b4c9a3dcf9d29763c15661446bfa6cc118a422ef6f2ca46d01e5422113fd53d74

memory/5036-185-0x0000000000670000-0x0000000000671000-memory.dmp