Malware Analysis Report

2025-08-10 22:20

Sample ID 220217-aj1htsegd9
Target 7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd
SHA256 7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd
Tags
netwire warzonerat botnet infostealer rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd

Threat Level: Known bad

The file 7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd was found to be: Known bad.

Malicious Activity Summary

netwire warzonerat botnet infostealer rat stealer

WarzoneRat, AveMaria

Netwire

NetWire RAT payload

Netwire family

Warzone RAT Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

autoit_exe

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-17 00:15

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-17 00:15

Reported

2022-02-17 00:24

Platform

win10v2004-en-20220113

Max time kernel

166s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3924 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3924 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3924 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 3924 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 3924 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 3924 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 3164 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3164 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3164 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3924 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 3924 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3924 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3924 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1920 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1920 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1920 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1920 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1920 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1920 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1920 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1920 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1920 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4544 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4544 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4544 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4544 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4544 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4544 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4544 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4608 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4544 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4544 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4608 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe

"C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe

"C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 52.182.141.63:443 tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3924-132-0x0000000001730000-0x0000000001731000-memory.dmp

memory/756-133-0x0000000000E00000-0x0000000000E1D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/756-142-0x0000000000E00000-0x0000000000E1D000-memory.dmp

memory/4016-143-0x0000000000900000-0x0000000000901000-memory.dmp

memory/3448-144-0x00000201E9320000-0x00000201E9330000-memory.dmp

memory/3448-145-0x00000201E9380000-0x00000201E9390000-memory.dmp

memory/3448-146-0x00000201EBA30000-0x00000201EBA34000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 e45f1dd60d123edd544565b0c64a21e2
SHA1 920e84b93b5ac1ba476ecd6e185c32417e31796d
SHA256 7df3f71ed80aeee7f3f5aeac041299bb4abd46c377131fd19f5945da0695cce6
SHA512 16739f60d0921a4ebc535cffc83797ea507a87106cca0c2cbc1a1fb7d344b528f4f90b69149d6e64eed24f9394e26a58e45e2bef1b0c3cc9712e9a06a1b2ed91

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 e45f1dd60d123edd544565b0c64a21e2
SHA1 920e84b93b5ac1ba476ecd6e185c32417e31796d
SHA256 7df3f71ed80aeee7f3f5aeac041299bb4abd46c377131fd19f5945da0695cce6
SHA512 16739f60d0921a4ebc535cffc83797ea507a87106cca0c2cbc1a1fb7d344b528f4f90b69149d6e64eed24f9394e26a58e45e2bef1b0c3cc9712e9a06a1b2ed91

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3640-150-0x00000000014C0000-0x00000000014DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 e45f1dd60d123edd544565b0c64a21e2
SHA1 920e84b93b5ac1ba476ecd6e185c32417e31796d
SHA256 7df3f71ed80aeee7f3f5aeac041299bb4abd46c377131fd19f5945da0695cce6
SHA512 16739f60d0921a4ebc535cffc83797ea507a87106cca0c2cbc1a1fb7d344b528f4f90b69149d6e64eed24f9394e26a58e45e2bef1b0c3cc9712e9a06a1b2ed91

memory/3640-158-0x00000000014C0000-0x00000000014DD000-memory.dmp

memory/2108-159-0x0000000000F30000-0x0000000000F31000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 e45f1dd60d123edd544565b0c64a21e2
SHA1 920e84b93b5ac1ba476ecd6e185c32417e31796d
SHA256 7df3f71ed80aeee7f3f5aeac041299bb4abd46c377131fd19f5945da0695cce6
SHA512 16739f60d0921a4ebc535cffc83797ea507a87106cca0c2cbc1a1fb7d344b528f4f90b69149d6e64eed24f9394e26a58e45e2bef1b0c3cc9712e9a06a1b2ed91

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/4608-163-0x0000000001680000-0x000000000169D000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 e45f1dd60d123edd544565b0c64a21e2
SHA1 920e84b93b5ac1ba476ecd6e185c32417e31796d
SHA256 7df3f71ed80aeee7f3f5aeac041299bb4abd46c377131fd19f5945da0695cce6
SHA512 16739f60d0921a4ebc535cffc83797ea507a87106cca0c2cbc1a1fb7d344b528f4f90b69149d6e64eed24f9394e26a58e45e2bef1b0c3cc9712e9a06a1b2ed91

memory/4608-171-0x0000000001680000-0x000000000169D000-memory.dmp

memory/4660-172-0x0000000000620000-0x0000000000621000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-17 00:15

Reported

2022-02-17 00:23

Platform

win7-en-20211208

Max time kernel

156s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1568 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1568 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1568 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1724 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1724 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1724 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1724 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1688 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1688 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1688 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1752 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1792 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1792 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1688 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1688 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1688 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1776 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1776 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1776 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1776 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1776 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1776 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1776 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1776 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1776 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1776 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1100 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe

"C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe

"C:\Users\Admin\AppData\Local\Temp\7dfc40d6059ba8ec2d090f10873f8d1490ae39dbe882b4a6d5930550aa95b1bd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {A3BF48CB-7739-44E4-AAA6-C01BBC4B0B20} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/1568-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1528-66-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1528-67-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1528-75-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1568-76-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/276-77-0x0000000000160000-0x0000000000161000-memory.dmp

memory/276-78-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 cbc11a3576f8d8616b7ed1e6a57492f6
SHA1 bd7fe6130b392ddcb56e8e6bb04fa458ff9bb4bd
SHA256 75d8d5b847433ab03ccdf577a3dd15987e4833d5146a8aab9906e0aa749138aa
SHA512 99760c4c4b56d53020e25fd550154f45bce02486d529917cf70a9f1207cdbc612953b7a542e3ffa00a87f55c780ccf901b1cbe90aecfb3fbacd32b6be518acf7

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 cbc11a3576f8d8616b7ed1e6a57492f6
SHA1 bd7fe6130b392ddcb56e8e6bb04fa458ff9bb4bd
SHA256 75d8d5b847433ab03ccdf577a3dd15987e4833d5146a8aab9906e0aa749138aa
SHA512 99760c4c4b56d53020e25fd550154f45bce02486d529917cf70a9f1207cdbc612953b7a542e3ffa00a87f55c780ccf901b1cbe90aecfb3fbacd32b6be518acf7

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 cbc11a3576f8d8616b7ed1e6a57492f6
SHA1 bd7fe6130b392ddcb56e8e6bb04fa458ff9bb4bd
SHA256 75d8d5b847433ab03ccdf577a3dd15987e4833d5146a8aab9906e0aa749138aa
SHA512 99760c4c4b56d53020e25fd550154f45bce02486d529917cf70a9f1207cdbc612953b7a542e3ffa00a87f55c780ccf901b1cbe90aecfb3fbacd32b6be518acf7

memory/1936-102-0x0000000000130000-0x0000000000131000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 cbc11a3576f8d8616b7ed1e6a57492f6
SHA1 bd7fe6130b392ddcb56e8e6bb04fa458ff9bb4bd
SHA256 75d8d5b847433ab03ccdf577a3dd15987e4833d5146a8aab9906e0aa749138aa
SHA512 99760c4c4b56d53020e25fd550154f45bce02486d529917cf70a9f1207cdbc612953b7a542e3ffa00a87f55c780ccf901b1cbe90aecfb3fbacd32b6be518acf7

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 cbc11a3576f8d8616b7ed1e6a57492f6
SHA1 bd7fe6130b392ddcb56e8e6bb04fa458ff9bb4bd
SHA256 75d8d5b847433ab03ccdf577a3dd15987e4833d5146a8aab9906e0aa749138aa
SHA512 99760c4c4b56d53020e25fd550154f45bce02486d529917cf70a9f1207cdbc612953b7a542e3ffa00a87f55c780ccf901b1cbe90aecfb3fbacd32b6be518acf7

memory/1736-124-0x00000000002E0000-0x00000000002E1000-memory.dmp