Analysis Overview
SHA256
80d3590e8f6a7b77dde425be99d9756351ca77a38266258cf03203c52b9e9d62
Threat Level: Known bad
The file e6e96544b0fc45c775aae94f3dc7924c_JC.exe was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire family
Netwire
WarzoneRat, AveMaria
Warzone RAT payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 13:23
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 13:23
Reported
2023-10-12 01:04
Platform
win7-20230831-en
Max time kernel
132s
Max time network
126s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1300 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe |
| PID 3036 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 2016 set thread context of 1920 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe"
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {58A76F02-9171-417D-B4E2-58ED061F528D} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
Files
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/2864-23-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/2664-26-0x00000000000C0000-0x00000000000DD000-memory.dmp
memory/1300-25-0x0000000000790000-0x0000000000791000-memory.dmp
memory/2664-28-0x00000000000C0000-0x00000000000DD000-memory.dmp
memory/2664-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2664-38-0x00000000000C0000-0x00000000000DD000-memory.dmp
memory/2836-40-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2836-41-0x00000000001A0000-0x00000000001A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/2840-70-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
memory/2656-75-0x0000000000400000-0x000000000042C000-memory.dmp
memory/276-77-0x00000000002E0000-0x00000000002E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/2656-81-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1988-82-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/1920-98-0x0000000000080000-0x000000000009D000-memory.dmp
memory/1920-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1920-109-0x0000000000080000-0x000000000009D000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
memory/3028-114-0x00000000000B0000-0x00000000000B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | fc21be7fccdf238dda32f33c4bba1985 |
| SHA1 | 1dbaadae4d1cf0a12c414bba438caab7e9011525 |
| SHA256 | a122c80df2d8400e3c156abfbd2b3c876e74a50e82d3584554bc788fda39ec8e |
| SHA512 | c9bb21c8ca325f638c2b2c08426b690435cd3cb06549d49c97be35f19b9bb95564a1352f482873a558191bfd33bb34874bb2ccf9be6da666bbd1a51c897eb2f4 |
memory/944-161-0x00000000000B0000-0x00000000000B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 13:23
Reported
2023-10-12 01:08
Platform
win10v2004-20230915-en
Max time kernel
206s
Max time network
235s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3704 set thread context of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe | C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe |
| PID 2768 set thread context of 4604 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 452 set thread context of 2384 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe"
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e6e96544b0fc45c775aae94f3dc7924c_JC.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
Files
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/3704-8-0x00000000041E0000-0x00000000041E1000-memory.dmp
memory/3728-9-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/3700-20-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/3728-22-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4876-23-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1724-25-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | c71a70f2656deb834d22c7e6e8c106d0 |
| SHA1 | 7cc0a9c24072836f1044a9ab20923cd241f6be59 |
| SHA256 | 9c3334ce296471bdd38e064a34754919ab41d24441e99acf41034384c5073319 |
| SHA512 | 94b8148bf765129891616519d0a474d9f6999a1067a29dd68dfd9e05bc1a4bbc7505539e771ec4503f3f093aecd01f832baf21d608d2497a13afa29a99d85955 |
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | c71a70f2656deb834d22c7e6e8c106d0 |
| SHA1 | 7cc0a9c24072836f1044a9ab20923cd241f6be59 |
| SHA256 | 9c3334ce296471bdd38e064a34754919ab41d24441e99acf41034384c5073319 |
| SHA512 | 94b8148bf765129891616519d0a474d9f6999a1067a29dd68dfd9e05bc1a4bbc7505539e771ec4503f3f093aecd01f832baf21d608d2497a13afa29a99d85955 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | c71a70f2656deb834d22c7e6e8c106d0 |
| SHA1 | 7cc0a9c24072836f1044a9ab20923cd241f6be59 |
| SHA256 | 9c3334ce296471bdd38e064a34754919ab41d24441e99acf41034384c5073319 |
| SHA512 | 94b8148bf765129891616519d0a474d9f6999a1067a29dd68dfd9e05bc1a4bbc7505539e771ec4503f3f093aecd01f832baf21d608d2497a13afa29a99d85955 |
memory/4948-50-0x00000000009F0000-0x00000000009F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/3636-54-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | c71a70f2656deb834d22c7e6e8c106d0 |
| SHA1 | 7cc0a9c24072836f1044a9ab20923cd241f6be59 |
| SHA256 | 9c3334ce296471bdd38e064a34754919ab41d24441e99acf41034384c5073319 |
| SHA512 | 94b8148bf765129891616519d0a474d9f6999a1067a29dd68dfd9e05bc1a4bbc7505539e771ec4503f3f093aecd01f832baf21d608d2497a13afa29a99d85955 |
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | c71a70f2656deb834d22c7e6e8c106d0 |
| SHA1 | 7cc0a9c24072836f1044a9ab20923cd241f6be59 |
| SHA256 | 9c3334ce296471bdd38e064a34754919ab41d24441e99acf41034384c5073319 |
| SHA512 | 94b8148bf765129891616519d0a474d9f6999a1067a29dd68dfd9e05bc1a4bbc7505539e771ec4503f3f093aecd01f832baf21d608d2497a13afa29a99d85955 |
memory/4928-75-0x00000000008B0000-0x00000000008B1000-memory.dmp