Analysis
-
max time kernel
173s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 02:47
Behavioral task
behavioral1
Sample
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe
Resource
win10v2004-en-20220112
General
-
Target
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe
-
Size
1.3MB
-
MD5
b8d87571145ad6044e6ec160d0dbca25
-
SHA1
81043a93d8f1dafd596fd703cd9952c9a8a6f3f5
-
SHA256
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3
-
SHA512
0f1fd803c85525993cc750d47a3da1d00202eca5539699036c0d923aa7deedbc8983ae0ee698ad846be7f0641f9b81c53e4ec0c786b4c7739a00167e073a0a7d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 9 IoCs
resource yara_rule behavioral2/files/0x000400000001ed0e-131.dat netwire behavioral2/files/0x000400000001ed0e-130.dat netwire behavioral2/files/0x000300000000072b-132.dat netwire behavioral2/files/0x000300000000072b-133.dat netwire behavioral2/files/0x000300000000072f-144.dat netwire behavioral2/files/0x000300000000072f-145.dat netwire behavioral2/files/0x000400000001ed0e-146.dat netwire behavioral2/files/0x000300000000072f-154.dat netwire behavioral2/files/0x000400000001ed0e-158.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/3108-134-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3108-141-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 5 IoCs
pid Process 4004 Blasthost.exe 2068 Host.exe 3928 RtDCpl64.exe 3392 Blasthost.exe 3612 RtDCpl64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2136 set thread context of 3108 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 72 PID 3928 set thread context of 3612 3928 RtDCpl64.exe 86 -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000000072f-144.dat autoit_exe behavioral2/files/0x000300000000072f-145.dat autoit_exe behavioral2/files/0x000300000000072f-154.dat autoit_exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3648 schtasks.exe 908 schtasks.exe -
Modifies data under HKEY_USERS 53 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897172924917126" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.811569" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250824" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2136 wrote to memory of 4004 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 68 PID 2136 wrote to memory of 4004 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 68 PID 2136 wrote to memory of 4004 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 68 PID 4004 wrote to memory of 2068 4004 Blasthost.exe 71 PID 4004 wrote to memory of 2068 4004 Blasthost.exe 71 PID 4004 wrote to memory of 2068 4004 Blasthost.exe 71 PID 2136 wrote to memory of 3108 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 72 PID 2136 wrote to memory of 3108 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 72 PID 2136 wrote to memory of 3108 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 72 PID 2136 wrote to memory of 3108 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 72 PID 2136 wrote to memory of 3108 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 72 PID 2136 wrote to memory of 3648 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 75 PID 2136 wrote to memory of 3648 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 75 PID 2136 wrote to memory of 3648 2136 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 75 PID 3108 wrote to memory of 3348 3108 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 78 PID 3108 wrote to memory of 3348 3108 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 78 PID 3108 wrote to memory of 3348 3108 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 78 PID 3108 wrote to memory of 3348 3108 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 78 PID 3108 wrote to memory of 3348 3108 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 78 PID 3928 wrote to memory of 3392 3928 RtDCpl64.exe 85 PID 3928 wrote to memory of 3392 3928 RtDCpl64.exe 85 PID 3928 wrote to memory of 3392 3928 RtDCpl64.exe 85 PID 3928 wrote to memory of 3612 3928 RtDCpl64.exe 86 PID 3928 wrote to memory of 3612 3928 RtDCpl64.exe 86 PID 3928 wrote to memory of 3612 3928 RtDCpl64.exe 86 PID 3928 wrote to memory of 3612 3928 RtDCpl64.exe 86 PID 3928 wrote to memory of 3612 3928 RtDCpl64.exe 86 PID 3612 wrote to memory of 3860 3612 RtDCpl64.exe 87 PID 3612 wrote to memory of 3860 3612 RtDCpl64.exe 87 PID 3612 wrote to memory of 3860 3612 RtDCpl64.exe 87 PID 3928 wrote to memory of 908 3928 RtDCpl64.exe 89 PID 3928 wrote to memory of 908 3928 RtDCpl64.exe 89 PID 3928 wrote to memory of 908 3928 RtDCpl64.exe 89 PID 3612 wrote to memory of 3860 3612 RtDCpl64.exe 87 PID 3612 wrote to memory of 3860 3612 RtDCpl64.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:2068
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3348
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3648
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2000
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3392
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3860
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:908
-