Analysis
-
max time kernel
169s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 02:51
Behavioral task
behavioral1
Sample
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe
Resource
win10v2004-en-20220112
General
-
Target
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe
-
Size
1.3MB
-
MD5
ca6993e72069dfdcf1313fc5478a646f
-
SHA1
9d4110d9d98a5e1c132d6c8b512925a8be193c93
-
SHA256
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d
-
SHA512
2e17366278c3d99ad172bb463e6cd317cef8ef9ef26d707de3a604a1f0d6bafb8c27107e231cd906337c85308c511d73b0e2a8e037ba8449e9a19e2b83d1ed4d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000400000001ed17-130.dat netwire behavioral2/files/0x000400000001ed17-131.dat netwire behavioral2/files/0x000400000001ed1a-132.dat netwire behavioral2/files/0x000400000001ed1a-134.dat netwire behavioral2/files/0x000300000001ed2e-144.dat netwire behavioral2/files/0x000300000001ed2e-145.dat netwire behavioral2/files/0x000400000001ed17-146.dat netwire behavioral2/files/0x000300000001ed2e-154.dat netwire behavioral2/files/0x000400000001ed17-157.dat netwire behavioral2/files/0x000300000001ed2e-158.dat netwire behavioral2/files/0x000400000001ed17-159.dat netwire behavioral2/files/0x000300000001ed2e-167.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/2796-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2796-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 452 Blasthost.exe 772 Host.exe 2624 RtDCpl64.exe 1720 Blasthost.exe 2936 RtDCpl64.exe 2928 RtDCpl64.exe 2652 Blasthost.exe 2084 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3080 set thread context of 2796 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 62 PID 2624 set thread context of 2936 2624 RtDCpl64.exe 84 PID 2928 set thread context of 2084 2928 RtDCpl64.exe 91 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000001ed2e-144.dat autoit_exe behavioral2/files/0x000300000001ed2e-145.dat autoit_exe behavioral2/files/0x000300000001ed2e-154.dat autoit_exe behavioral2/files/0x000300000001ed2e-158.dat autoit_exe behavioral2/files/0x000300000001ed2e-167.dat autoit_exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3856 schtasks.exe 3036 schtasks.exe 880 schtasks.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.037147" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897171536881405" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4368" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.038168" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.535333" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 3080 wrote to memory of 452 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 59 PID 3080 wrote to memory of 452 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 59 PID 3080 wrote to memory of 452 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 59 PID 3080 wrote to memory of 2796 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 62 PID 3080 wrote to memory of 2796 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 62 PID 3080 wrote to memory of 2796 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 62 PID 452 wrote to memory of 772 452 Blasthost.exe 63 PID 452 wrote to memory of 772 452 Blasthost.exe 63 PID 452 wrote to memory of 772 452 Blasthost.exe 63 PID 3080 wrote to memory of 2796 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 62 PID 3080 wrote to memory of 2796 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 62 PID 3080 wrote to memory of 3036 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 64 PID 3080 wrote to memory of 3036 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 64 PID 3080 wrote to memory of 3036 3080 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 64 PID 2796 wrote to memory of 1432 2796 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 65 PID 2796 wrote to memory of 1432 2796 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 65 PID 2796 wrote to memory of 1432 2796 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 65 PID 2796 wrote to memory of 1432 2796 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 65 PID 2796 wrote to memory of 1432 2796 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 65 PID 2624 wrote to memory of 1720 2624 RtDCpl64.exe 83 PID 2624 wrote to memory of 1720 2624 RtDCpl64.exe 83 PID 2624 wrote to memory of 1720 2624 RtDCpl64.exe 83 PID 2624 wrote to memory of 2936 2624 RtDCpl64.exe 84 PID 2624 wrote to memory of 2936 2624 RtDCpl64.exe 84 PID 2624 wrote to memory of 2936 2624 RtDCpl64.exe 84 PID 2624 wrote to memory of 2936 2624 RtDCpl64.exe 84 PID 2624 wrote to memory of 2936 2624 RtDCpl64.exe 84 PID 2936 wrote to memory of 928 2936 RtDCpl64.exe 85 PID 2936 wrote to memory of 928 2936 RtDCpl64.exe 85 PID 2936 wrote to memory of 928 2936 RtDCpl64.exe 85 PID 2624 wrote to memory of 880 2624 RtDCpl64.exe 87 PID 2624 wrote to memory of 880 2624 RtDCpl64.exe 87 PID 2624 wrote to memory of 880 2624 RtDCpl64.exe 87 PID 2936 wrote to memory of 928 2936 RtDCpl64.exe 85 PID 2936 wrote to memory of 928 2936 RtDCpl64.exe 85 PID 2928 wrote to memory of 2652 2928 RtDCpl64.exe 90 PID 2928 wrote to memory of 2652 2928 RtDCpl64.exe 90 PID 2928 wrote to memory of 2652 2928 RtDCpl64.exe 90 PID 2928 wrote to memory of 2084 2928 RtDCpl64.exe 91 PID 2928 wrote to memory of 2084 2928 RtDCpl64.exe 91 PID 2928 wrote to memory of 2084 2928 RtDCpl64.exe 91 PID 2928 wrote to memory of 2084 2928 RtDCpl64.exe 91 PID 2928 wrote to memory of 2084 2928 RtDCpl64.exe 91 PID 2084 wrote to memory of 3440 2084 RtDCpl64.exe 92 PID 2084 wrote to memory of 3440 2084 RtDCpl64.exe 92 PID 2084 wrote to memory of 3440 2084 RtDCpl64.exe 92 PID 2928 wrote to memory of 3856 2928 RtDCpl64.exe 94 PID 2928 wrote to memory of 3856 2928 RtDCpl64.exe 94 PID 2928 wrote to memory of 3856 2928 RtDCpl64.exe 94 PID 2084 wrote to memory of 3440 2084 RtDCpl64.exe 92 PID 2084 wrote to memory of 3440 2084 RtDCpl64.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:772
-
-
-
C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1432
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3036
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2864
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1720
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:928
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:880
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3440
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3856
-