Malware Analysis Report

2025-08-05 16:37

Sample ID 220217-dcfrmahdbr
Target 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d
SHA256 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d
Tags
netwire warzonerat botnet infostealer rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d

Threat Level: Known bad

The file 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d was found to be: Known bad.

Malicious Activity Summary

netwire warzonerat botnet infostealer rat stealer

Netwire family

Netwire

NetWire RAT payload

WarzoneRat, AveMaria

Warzone RAT Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

autoit_exe

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-17 02:51

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-17 02:51

Reported

2022-02-17 03:08

Platform

win10v2004-en-20220113

Max time kernel

170s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4500 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4500 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4840 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4840 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4840 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4500 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 4500 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 4500 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 4500 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 4500 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 1656 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1740 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1740 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1740 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1228 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2364 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2364 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2364 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2364 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2364 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2364 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2364 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4276 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2364 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2364 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4276 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe

"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe

"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 74.125.34.46:80 tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/4500-134-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/1656-135-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/1656-142-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/4852-143-0x0000000000860000-0x0000000000861000-memory.dmp

memory/3028-144-0x000001490D960000-0x000001490D970000-memory.dmp

memory/3028-145-0x000001490E270000-0x000001490E280000-memory.dmp

memory/3028-146-0x0000014910900000-0x0000014910904000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 49aa8775af61c52f314843aaa5e88e8d
SHA1 2f6efdd48e8d891645978b910adb56fabe05d524
SHA256 54b21760cd48c47ff05d5c672b582423e3b48593d9d9d1910135b827d88562ad
SHA512 271a29414ca078cf7b2b48a3a9d3b89fdc012b8fef3285f77700cd3e522434d0dbe205c1dc51f436bc896711f312d332929487360f342c67864658de084b6b48

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 49aa8775af61c52f314843aaa5e88e8d
SHA1 2f6efdd48e8d891645978b910adb56fabe05d524
SHA256 54b21760cd48c47ff05d5c672b582423e3b48593d9d9d1910135b827d88562ad
SHA512 271a29414ca078cf7b2b48a3a9d3b89fdc012b8fef3285f77700cd3e522434d0dbe205c1dc51f436bc896711f312d332929487360f342c67864658de084b6b48

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1228-150-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 49aa8775af61c52f314843aaa5e88e8d
SHA1 2f6efdd48e8d891645978b910adb56fabe05d524
SHA256 54b21760cd48c47ff05d5c672b582423e3b48593d9d9d1910135b827d88562ad
SHA512 271a29414ca078cf7b2b48a3a9d3b89fdc012b8fef3285f77700cd3e522434d0dbe205c1dc51f436bc896711f312d332929487360f342c67864658de084b6b48

memory/1228-158-0x0000000000400000-0x000000000041D000-memory.dmp

memory/684-159-0x00000000009D0000-0x00000000009D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 49aa8775af61c52f314843aaa5e88e8d
SHA1 2f6efdd48e8d891645978b910adb56fabe05d524
SHA256 54b21760cd48c47ff05d5c672b582423e3b48593d9d9d1910135b827d88562ad
SHA512 271a29414ca078cf7b2b48a3a9d3b89fdc012b8fef3285f77700cd3e522434d0dbe205c1dc51f436bc896711f312d332929487360f342c67864658de084b6b48

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 49aa8775af61c52f314843aaa5e88e8d
SHA1 2f6efdd48e8d891645978b910adb56fabe05d524
SHA256 54b21760cd48c47ff05d5c672b582423e3b48593d9d9d1910135b827d88562ad
SHA512 271a29414ca078cf7b2b48a3a9d3b89fdc012b8fef3285f77700cd3e522434d0dbe205c1dc51f436bc896711f312d332929487360f342c67864658de084b6b48

memory/2364-171-0x0000000003130000-0x0000000003131000-memory.dmp

memory/1648-173-0x0000000000A40000-0x0000000000A41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-17 02:51

Reported

2022-02-17 03:08

Platform

win7-en-20211208

Max time kernel

164s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1684 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1684 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1684 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1684 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 1684 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 1684 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 1684 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 1684 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 1684 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
PID 792 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 792 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 792 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 792 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1684 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1684 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1684 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1684 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1064 wrote to memory of 600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1064 wrote to memory of 600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1064 wrote to memory of 600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 600 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 600 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 600 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 600 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 600 wrote to memory of 900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 600 wrote to memory of 900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 600 wrote to memory of 900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 600 wrote to memory of 900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1384 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1064 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1064 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1064 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1104 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1104 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1104 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1104 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1104 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1104 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe

"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe

"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CD1EDB0E-EE5C-4FB7-AD59-F4CC19E015E0} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 74.125.34.46:80 tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

memory/1684-54-0x0000000075891000-0x0000000075893000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1368-61-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1368-60-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1684-70-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/1368-71-0x0000000000080000-0x000000000009D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/976-77-0x0000000000260000-0x0000000000261000-memory.dmp

memory/976-78-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 61acc4f4577b875deebc7c558978c333
SHA1 1ae7d19c9a2e9377d391cc0cafa948e7c0ee0161
SHA256 aa936d7df8a3947f4e8e39a749f2413c021d70cc3365dd1dd2b80c790522c591
SHA512 5abf5024f46590c7a23fe79c32d4b66bf607cb7bc764197023b9d674662feda0a5308b2d68b77ac05297adf395b179949a4cd4dc30a8b5a0236fbe5b39117247

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 61acc4f4577b875deebc7c558978c333
SHA1 1ae7d19c9a2e9377d391cc0cafa948e7c0ee0161
SHA256 aa936d7df8a3947f4e8e39a749f2413c021d70cc3365dd1dd2b80c790522c591
SHA512 5abf5024f46590c7a23fe79c32d4b66bf607cb7bc764197023b9d674662feda0a5308b2d68b77ac05297adf395b179949a4cd4dc30a8b5a0236fbe5b39117247

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 61acc4f4577b875deebc7c558978c333
SHA1 1ae7d19c9a2e9377d391cc0cafa948e7c0ee0161
SHA256 aa936d7df8a3947f4e8e39a749f2413c021d70cc3365dd1dd2b80c790522c591
SHA512 5abf5024f46590c7a23fe79c32d4b66bf607cb7bc764197023b9d674662feda0a5308b2d68b77ac05297adf395b179949a4cd4dc30a8b5a0236fbe5b39117247

memory/1712-102-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 61acc4f4577b875deebc7c558978c333
SHA1 1ae7d19c9a2e9377d391cc0cafa948e7c0ee0161
SHA256 aa936d7df8a3947f4e8e39a749f2413c021d70cc3365dd1dd2b80c790522c591
SHA512 5abf5024f46590c7a23fe79c32d4b66bf607cb7bc764197023b9d674662feda0a5308b2d68b77ac05297adf395b179949a4cd4dc30a8b5a0236fbe5b39117247

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1568-113-0x00000000000C0000-0x00000000000DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 61acc4f4577b875deebc7c558978c333
SHA1 1ae7d19c9a2e9377d391cc0cafa948e7c0ee0161
SHA256 aa936d7df8a3947f4e8e39a749f2413c021d70cc3365dd1dd2b80c790522c591
SHA512 5abf5024f46590c7a23fe79c32d4b66bf607cb7bc764197023b9d674662feda0a5308b2d68b77ac05297adf395b179949a4cd4dc30a8b5a0236fbe5b39117247

memory/1568-122-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2000-124-0x0000000000160000-0x0000000000161000-memory.dmp