Analysis
-
max time kernel
180s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 02:45
Behavioral task
behavioral1
Sample
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe
Resource
win10v2004-en-20220112
General
-
Target
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe
-
Size
1.3MB
-
MD5
c516283658ab631b3bd24dc68b606811
-
SHA1
4bf37a237aa5131c3df0399131f3f166a9bdc722
-
SHA256
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046
-
SHA512
c96e51232d22fd5b497a10ca2ca54bd011822e16622190253b78d693833ebf258579ade14ec465df63f0718ba48a450a54796bf32f1242e7e9dbb7519b3413bb
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000300000001ed17-130.dat netwire behavioral2/files/0x000300000001ed17-131.dat netwire behavioral2/files/0x0008000000021427-141.dat netwire behavioral2/files/0x0008000000021427-142.dat netwire behavioral2/files/0x000500000002142a-144.dat netwire behavioral2/files/0x000500000002142a-145.dat netwire behavioral2/files/0x000300000001ed17-146.dat netwire behavioral2/files/0x000500000002142a-154.dat netwire behavioral2/files/0x000300000001ed17-157.dat netwire behavioral2/files/0x000500000002142a-158.dat netwire behavioral2/files/0x000300000001ed17-159.dat netwire behavioral2/files/0x000500000002142a-167.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/3764-132-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3764-140-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1692 Blasthost.exe 1728 Host.exe 852 RtDCpl64.exe 3744 Blasthost.exe 480 RtDCpl64.exe 2912 RtDCpl64.exe 3400 Blasthost.exe 1004 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3580 set thread context of 3764 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 69 PID 852 set thread context of 480 852 RtDCpl64.exe 89 PID 2912 set thread context of 1004 2912 RtDCpl64.exe 99 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000002142a-144.dat autoit_exe behavioral2/files/0x000500000002142a-145.dat autoit_exe behavioral2/files/0x000500000002142a-154.dat autoit_exe behavioral2/files/0x000500000002142a-158.dat autoit_exe behavioral2/files/0x000500000002142a-167.dat autoit_exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2480 schtasks.exe 1052 schtasks.exe 2200 schtasks.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.334676" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897171345660812" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.996187" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.147235" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe Token: SeRestorePrivilege 2104 TiWorker.exe Token: SeSecurityPrivilege 2104 TiWorker.exe Token: SeBackupPrivilege 2104 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 3580 wrote to memory of 1692 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 68 PID 3580 wrote to memory of 1692 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 68 PID 3580 wrote to memory of 1692 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 68 PID 3580 wrote to memory of 3764 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 69 PID 3580 wrote to memory of 3764 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 69 PID 3580 wrote to memory of 3764 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 69 PID 3580 wrote to memory of 3764 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 69 PID 3580 wrote to memory of 3764 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 69 PID 3580 wrote to memory of 2480 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 70 PID 3580 wrote to memory of 2480 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 70 PID 3580 wrote to memory of 2480 3580 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 70 PID 1692 wrote to memory of 1728 1692 Blasthost.exe 71 PID 1692 wrote to memory of 1728 1692 Blasthost.exe 71 PID 1692 wrote to memory of 1728 1692 Blasthost.exe 71 PID 3764 wrote to memory of 3180 3764 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 72 PID 3764 wrote to memory of 3180 3764 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 72 PID 3764 wrote to memory of 3180 3764 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 72 PID 3764 wrote to memory of 3180 3764 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 72 PID 3764 wrote to memory of 3180 3764 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 72 PID 852 wrote to memory of 3744 852 RtDCpl64.exe 88 PID 852 wrote to memory of 3744 852 RtDCpl64.exe 88 PID 852 wrote to memory of 3744 852 RtDCpl64.exe 88 PID 852 wrote to memory of 480 852 RtDCpl64.exe 89 PID 852 wrote to memory of 480 852 RtDCpl64.exe 89 PID 852 wrote to memory of 480 852 RtDCpl64.exe 89 PID 852 wrote to memory of 480 852 RtDCpl64.exe 89 PID 852 wrote to memory of 480 852 RtDCpl64.exe 89 PID 852 wrote to memory of 1052 852 RtDCpl64.exe 90 PID 852 wrote to memory of 1052 852 RtDCpl64.exe 90 PID 852 wrote to memory of 1052 852 RtDCpl64.exe 90 PID 480 wrote to memory of 2096 480 RtDCpl64.exe 92 PID 480 wrote to memory of 2096 480 RtDCpl64.exe 92 PID 480 wrote to memory of 2096 480 RtDCpl64.exe 92 PID 480 wrote to memory of 2096 480 RtDCpl64.exe 92 PID 480 wrote to memory of 2096 480 RtDCpl64.exe 92 PID 2912 wrote to memory of 3400 2912 RtDCpl64.exe 98 PID 2912 wrote to memory of 3400 2912 RtDCpl64.exe 98 PID 2912 wrote to memory of 3400 2912 RtDCpl64.exe 98 PID 2912 wrote to memory of 1004 2912 RtDCpl64.exe 99 PID 2912 wrote to memory of 1004 2912 RtDCpl64.exe 99 PID 2912 wrote to memory of 1004 2912 RtDCpl64.exe 99 PID 2912 wrote to memory of 1004 2912 RtDCpl64.exe 99 PID 2912 wrote to memory of 1004 2912 RtDCpl64.exe 99 PID 1004 wrote to memory of 3092 1004 RtDCpl64.exe 100 PID 1004 wrote to memory of 3092 1004 RtDCpl64.exe 100 PID 1004 wrote to memory of 3092 1004 RtDCpl64.exe 100 PID 2912 wrote to memory of 2200 2912 RtDCpl64.exe 102 PID 2912 wrote to memory of 2200 2912 RtDCpl64.exe 102 PID 2912 wrote to memory of 2200 2912 RtDCpl64.exe 102 PID 1004 wrote to memory of 3092 1004 RtDCpl64.exe 100 PID 1004 wrote to memory of 3092 1004 RtDCpl64.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3180
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2480
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1140
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2096
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1052
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3400
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3092
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2200
-