Analysis
-
max time kernel
179s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 02:52
Behavioral task
behavioral1
Sample
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe
Resource
win10v2004-en-20220112
General
-
Target
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe
-
Size
1.3MB
-
MD5
58551eb23536b135ab4c454925202f99
-
SHA1
221534f28a99b4d3848423ee8e52e4ba8e7beaca
-
SHA256
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c
-
SHA512
7ad5ee454f4bf59c0925ceef12267f0e722c3807ea9a2ec96370f5ebb4a2382bef46dac00f86ccb7ace917388878770eae8c6520fd961dd804b734da03ac6002
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 9 IoCs
resource yara_rule behavioral2/files/0x00020000000216da-130.dat netwire behavioral2/files/0x00020000000216da-131.dat netwire behavioral2/files/0x0003000000000723-132.dat netwire behavioral2/files/0x0003000000000723-133.dat netwire behavioral2/files/0x000300000000072d-144.dat netwire behavioral2/files/0x000300000000072d-145.dat netwire behavioral2/files/0x00020000000216da-146.dat netwire behavioral2/files/0x000300000000072d-154.dat netwire behavioral2/files/0x00020000000216da-157.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/3956-134-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3956-141-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 5 IoCs
pid Process 3260 Blasthost.exe 3652 Host.exe 3312 RtDCpl64.exe 3824 Blasthost.exe 1868 RtDCpl64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1280 set thread context of 3956 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 76 PID 3312 set thread context of 1868 3312 RtDCpl64.exe 87 -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000000072d-144.dat autoit_exe behavioral2/files/0x000300000000072d-145.dat autoit_exe behavioral2/files/0x000300000000072d-154.dat autoit_exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4068 schtasks.exe 3752 schtasks.exe -
Modifies data under HKEY_USERS 53 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897175152370868" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.932569" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.754376" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.668836" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1280 wrote to memory of 3260 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 75 PID 1280 wrote to memory of 3260 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 75 PID 1280 wrote to memory of 3260 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 75 PID 1280 wrote to memory of 3956 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 76 PID 1280 wrote to memory of 3956 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 76 PID 1280 wrote to memory of 3956 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 76 PID 3260 wrote to memory of 3652 3260 Blasthost.exe 77 PID 3260 wrote to memory of 3652 3260 Blasthost.exe 77 PID 3260 wrote to memory of 3652 3260 Blasthost.exe 77 PID 1280 wrote to memory of 3956 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 76 PID 1280 wrote to memory of 3956 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 76 PID 1280 wrote to memory of 4068 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 78 PID 1280 wrote to memory of 4068 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 78 PID 1280 wrote to memory of 4068 1280 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 78 PID 3956 wrote to memory of 3520 3956 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 80 PID 3956 wrote to memory of 3520 3956 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 80 PID 3956 wrote to memory of 3520 3956 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 80 PID 3956 wrote to memory of 3520 3956 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 80 PID 3956 wrote to memory of 3520 3956 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 80 PID 3312 wrote to memory of 3824 3312 RtDCpl64.exe 86 PID 3312 wrote to memory of 3824 3312 RtDCpl64.exe 86 PID 3312 wrote to memory of 3824 3312 RtDCpl64.exe 86 PID 3312 wrote to memory of 1868 3312 RtDCpl64.exe 87 PID 3312 wrote to memory of 1868 3312 RtDCpl64.exe 87 PID 3312 wrote to memory of 1868 3312 RtDCpl64.exe 87 PID 3312 wrote to memory of 1868 3312 RtDCpl64.exe 87 PID 3312 wrote to memory of 1868 3312 RtDCpl64.exe 87 PID 1868 wrote to memory of 3896 1868 RtDCpl64.exe 88 PID 1868 wrote to memory of 3896 1868 RtDCpl64.exe 88 PID 1868 wrote to memory of 3896 1868 RtDCpl64.exe 88 PID 3312 wrote to memory of 3752 3312 RtDCpl64.exe 90 PID 3312 wrote to memory of 3752 3312 RtDCpl64.exe 90 PID 3312 wrote to memory of 3752 3312 RtDCpl64.exe 90 PID 1868 wrote to memory of 3896 1868 RtDCpl64.exe 88 PID 1868 wrote to memory of 3896 1868 RtDCpl64.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3652
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3520
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4068
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3436
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3824
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3896
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3752
-