Analysis
-
max time kernel
167s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 02:46
Behavioral task
behavioral1
Sample
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe
Resource
win10v2004-en-20220112
General
-
Target
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe
-
Size
1.3MB
-
MD5
9b7c60b50abf060b8e2482d82401e9db
-
SHA1
bd5f1345ff5d15b0fbc7514cce9b4455bdc0bfb9
-
SHA256
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208
-
SHA512
06024fbdb67babc0c499ab6dcd8739cd46e20abf62f3bd984293c6569b1d9e01bd32db5e13952fa1fbc59857ed4f596981293f3803456469bba8f61007a55fef
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x00060000000220e5-130.dat netwire behavioral2/files/0x00060000000220e5-131.dat netwire behavioral2/files/0x000300000001e7ec-142.dat netwire behavioral2/files/0x000300000001e7ec-141.dat netwire behavioral2/files/0x000400000001e793-144.dat netwire behavioral2/files/0x000400000001e793-145.dat netwire behavioral2/files/0x00060000000220e5-146.dat netwire behavioral2/files/0x000400000001e793-154.dat netwire behavioral2/files/0x00060000000220e5-157.dat netwire behavioral2/files/0x000400000001e793-158.dat netwire behavioral2/files/0x00060000000220e5-159.dat netwire behavioral2/files/0x000400000001e793-167.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 6 IoCs
resource yara_rule behavioral2/memory/1588-133-0x0000000000480000-0x000000000049D000-memory.dmp warzonerat behavioral2/memory/1588-140-0x0000000000480000-0x000000000049D000-memory.dmp warzonerat behavioral2/memory/3992-147-0x0000000000520000-0x000000000053D000-memory.dmp warzonerat behavioral2/memory/3992-155-0x0000000000520000-0x000000000053D000-memory.dmp warzonerat behavioral2/memory/1684-160-0x0000000000B70000-0x0000000000B8D000-memory.dmp warzonerat behavioral2/memory/1684-168-0x0000000000B70000-0x0000000000B8D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 2616 Blasthost.exe 3732 Host.exe 3200 RtDCpl64.exe 2964 Blasthost.exe 3992 RtDCpl64.exe 1424 RtDCpl64.exe 768 Blasthost.exe 1684 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1760 set thread context of 1588 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 66 PID 3200 set thread context of 3992 3200 RtDCpl64.exe 82 PID 1424 set thread context of 1684 1424 RtDCpl64.exe 90 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e793-144.dat autoit_exe behavioral2/files/0x000400000001e793-145.dat autoit_exe behavioral2/files/0x000400000001e793-154.dat autoit_exe behavioral2/files/0x000400000001e793-158.dat autoit_exe behavioral2/files/0x000400000001e793-167.dat autoit_exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3252 schtasks.exe 3884 schtasks.exe 2996 schtasks.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.004444" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897171529255214" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4352" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.631546" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.373478" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe Token: SeRestorePrivilege 1356 TiWorker.exe Token: SeSecurityPrivilege 1356 TiWorker.exe Token: SeBackupPrivilege 1356 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2616 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 64 PID 1760 wrote to memory of 2616 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 64 PID 1760 wrote to memory of 2616 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 64 PID 1760 wrote to memory of 1588 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 66 PID 1760 wrote to memory of 1588 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 66 PID 1760 wrote to memory of 1588 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 66 PID 1760 wrote to memory of 1588 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 66 PID 1760 wrote to memory of 1588 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 66 PID 2616 wrote to memory of 3732 2616 Blasthost.exe 67 PID 2616 wrote to memory of 3732 2616 Blasthost.exe 67 PID 2616 wrote to memory of 3732 2616 Blasthost.exe 67 PID 1760 wrote to memory of 3252 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 68 PID 1760 wrote to memory of 3252 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 68 PID 1760 wrote to memory of 3252 1760 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 68 PID 1588 wrote to memory of 1916 1588 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 70 PID 1588 wrote to memory of 1916 1588 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 70 PID 1588 wrote to memory of 1916 1588 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 70 PID 1588 wrote to memory of 1916 1588 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 70 PID 1588 wrote to memory of 1916 1588 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 70 PID 3200 wrote to memory of 2964 3200 RtDCpl64.exe 81 PID 3200 wrote to memory of 2964 3200 RtDCpl64.exe 81 PID 3200 wrote to memory of 2964 3200 RtDCpl64.exe 81 PID 3200 wrote to memory of 3992 3200 RtDCpl64.exe 82 PID 3200 wrote to memory of 3992 3200 RtDCpl64.exe 82 PID 3200 wrote to memory of 3992 3200 RtDCpl64.exe 82 PID 3200 wrote to memory of 3992 3200 RtDCpl64.exe 82 PID 3200 wrote to memory of 3992 3200 RtDCpl64.exe 82 PID 3992 wrote to memory of 3664 3992 RtDCpl64.exe 83 PID 3992 wrote to memory of 3664 3992 RtDCpl64.exe 83 PID 3992 wrote to memory of 3664 3992 RtDCpl64.exe 83 PID 3200 wrote to memory of 3884 3200 RtDCpl64.exe 85 PID 3200 wrote to memory of 3884 3200 RtDCpl64.exe 85 PID 3200 wrote to memory of 3884 3200 RtDCpl64.exe 85 PID 3992 wrote to memory of 3664 3992 RtDCpl64.exe 83 PID 3992 wrote to memory of 3664 3992 RtDCpl64.exe 83 PID 1424 wrote to memory of 768 1424 RtDCpl64.exe 89 PID 1424 wrote to memory of 768 1424 RtDCpl64.exe 89 PID 1424 wrote to memory of 768 1424 RtDCpl64.exe 89 PID 1424 wrote to memory of 1684 1424 RtDCpl64.exe 90 PID 1424 wrote to memory of 1684 1424 RtDCpl64.exe 90 PID 1424 wrote to memory of 1684 1424 RtDCpl64.exe 90 PID 1424 wrote to memory of 1684 1424 RtDCpl64.exe 90 PID 1424 wrote to memory of 1684 1424 RtDCpl64.exe 90 PID 1684 wrote to memory of 1476 1684 RtDCpl64.exe 91 PID 1684 wrote to memory of 1476 1684 RtDCpl64.exe 91 PID 1684 wrote to memory of 1476 1684 RtDCpl64.exe 91 PID 1424 wrote to memory of 2996 1424 RtDCpl64.exe 93 PID 1424 wrote to memory of 2996 1424 RtDCpl64.exe 93 PID 1424 wrote to memory of 2996 1424 RtDCpl64.exe 93 PID 1684 wrote to memory of 1476 1684 RtDCpl64.exe 91 PID 1684 wrote to memory of 1476 1684 RtDCpl64.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3732
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1916
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3252
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1240
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3664
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3884
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:768
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1476
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2996
-