Analysis
-
max time kernel
184s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe
Resource
win10v2004-en-20220112
General
-
Target
7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe
-
Size
1.3MB
-
MD5
5e913fc9f8794269ff2802babcddfe93
-
SHA1
9e1dda4ac2e0ff6f00afd7087d13616862100380
-
SHA256
7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a
-
SHA512
30d12fc047477f1e5d53ea185f50f4d8a415dda63972de4c5c1049e525854edb9e6af138a08e0233498fdcee85bc3dcd8ca823cb4116f59249d305d5ae00d95b
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 9 IoCs
resource yara_rule behavioral2/files/0x000300000001e533-130.dat netwire behavioral2/files/0x000300000001e533-131.dat netwire behavioral2/files/0x0003000000000725-141.dat netwire behavioral2/files/0x0003000000000725-142.dat netwire behavioral2/files/0x0003000000000721-144.dat netwire behavioral2/files/0x0003000000000721-145.dat netwire behavioral2/files/0x000300000001e533-146.dat netwire behavioral2/files/0x0003000000000721-154.dat netwire behavioral2/files/0x000300000001e533-158.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/1580-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/1580-140-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 5 IoCs
pid Process 2548 Blasthost.exe 3752 Host.exe 3080 RtDCpl64.exe 212 Blasthost.exe 2500 RtDCpl64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 752 set thread context of 1580 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 73 PID 3080 set thread context of 2500 3080 RtDCpl64.exe 84 -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0003000000000721-144.dat autoit_exe behavioral2/files/0x0003000000000721-145.dat autoit_exe behavioral2/files/0x0003000000000721-154.dat autoit_exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4056 schtasks.exe 3472 schtasks.exe -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.890745" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.650990" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3972" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897073752143673" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.252246" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe Token: SeRestorePrivilege 2584 TiWorker.exe Token: SeSecurityPrivilege 2584 TiWorker.exe Token: SeBackupPrivilege 2584 TiWorker.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 752 wrote to memory of 2548 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 69 PID 752 wrote to memory of 2548 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 69 PID 752 wrote to memory of 2548 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 69 PID 752 wrote to memory of 1580 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 73 PID 752 wrote to memory of 1580 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 73 PID 752 wrote to memory of 1580 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 73 PID 752 wrote to memory of 1580 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 73 PID 752 wrote to memory of 1580 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 73 PID 752 wrote to memory of 4056 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 75 PID 752 wrote to memory of 4056 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 75 PID 752 wrote to memory of 4056 752 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 75 PID 2548 wrote to memory of 3752 2548 Blasthost.exe 76 PID 2548 wrote to memory of 3752 2548 Blasthost.exe 76 PID 2548 wrote to memory of 3752 2548 Blasthost.exe 76 PID 1580 wrote to memory of 1776 1580 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 78 PID 1580 wrote to memory of 1776 1580 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 78 PID 1580 wrote to memory of 1776 1580 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 78 PID 1580 wrote to memory of 1776 1580 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 78 PID 1580 wrote to memory of 1776 1580 7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe 78 PID 3080 wrote to memory of 212 3080 RtDCpl64.exe 83 PID 3080 wrote to memory of 212 3080 RtDCpl64.exe 83 PID 3080 wrote to memory of 212 3080 RtDCpl64.exe 83 PID 3080 wrote to memory of 2500 3080 RtDCpl64.exe 84 PID 3080 wrote to memory of 2500 3080 RtDCpl64.exe 84 PID 3080 wrote to memory of 2500 3080 RtDCpl64.exe 84 PID 3080 wrote to memory of 2500 3080 RtDCpl64.exe 84 PID 3080 wrote to memory of 2500 3080 RtDCpl64.exe 84 PID 2500 wrote to memory of 1868 2500 RtDCpl64.exe 85 PID 2500 wrote to memory of 1868 2500 RtDCpl64.exe 85 PID 2500 wrote to memory of 1868 2500 RtDCpl64.exe 85 PID 3080 wrote to memory of 3472 3080 RtDCpl64.exe 87 PID 3080 wrote to memory of 3472 3080 RtDCpl64.exe 87 PID 3080 wrote to memory of 3472 3080 RtDCpl64.exe 87 PID 2500 wrote to memory of 1868 2500 RtDCpl64.exe 85 PID 2500 wrote to memory of 1868 2500 RtDCpl64.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe"C:\Users\Admin\AppData\Local\Temp\7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe"C:\Users\Admin\AppData\Local\Temp\7da2b432e3be2c63718a85a23b87604c749b90d103743eae9748eee98850b06a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1776
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4056
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:3852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1920
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:212
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1868
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3472
-