Malware Analysis Report

2025-01-18 16:50

Sample ID 231015-vh7wqsbf25
Target 0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
SHA256 450e0c830fb9101a5eacab582d3372ede41b4510a0f135af2816e83257ef7eb6
Tags
rat netwire warzonerat botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

450e0c830fb9101a5eacab582d3372ede41b4510a0f135af2816e83257ef7eb6

Threat Level: Known bad

The file 0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet infostealer stealer

Netwire family

WarzoneRat, AveMaria

NetWire RAT payload

Netwire

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 17:00

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 17:00

Reported

2023-10-15 17:03

Platform

win7-20230831-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2200 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2200 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2200 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 2200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 2200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 2200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 2200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 2200 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 2200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 268 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 268 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 268 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1496 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1496 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1496 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1496 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 268 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 268 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 268 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1728 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1728 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1728 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1728 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1728 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe

"C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe

"C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BB28B394-65C9-4D16-864E-748E84769C29} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2200-15-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/3024-16-0x00000000000D0000-0x00000000000ED000-memory.dmp

memory/3024-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3024-18-0x00000000000D0000-0x00000000000ED000-memory.dmp

memory/3024-28-0x00000000000D0000-0x00000000000ED000-memory.dmp

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1976-37-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2600-41-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-40-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2636-44-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 d6a84b5098fb2b5fdb0ba22cc573e5d9
SHA1 624ea59d1ae36511b48edad0c17bc71e157528e9
SHA256 f389cfae9c01f546b3c0aa3da9965ac1c90a4efaf3f71a679103bcf34ef0740e
SHA512 77df7e98d28b95da55bf79358617f5d9f706e9040d92f3b9ce76471d0e2c866e8ed40024e969ecba6e1ac34afd2eee7f986968c3ad1824936326bf8719ed4d4f

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 d6a84b5098fb2b5fdb0ba22cc573e5d9
SHA1 624ea59d1ae36511b48edad0c17bc71e157528e9
SHA256 f389cfae9c01f546b3c0aa3da9965ac1c90a4efaf3f71a679103bcf34ef0740e
SHA512 77df7e98d28b95da55bf79358617f5d9f706e9040d92f3b9ce76471d0e2c866e8ed40024e969ecba6e1ac34afd2eee7f986968c3ad1824936326bf8719ed4d4f

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2956-70-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2956-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 d6a84b5098fb2b5fdb0ba22cc573e5d9
SHA1 624ea59d1ae36511b48edad0c17bc71e157528e9
SHA256 f389cfae9c01f546b3c0aa3da9965ac1c90a4efaf3f71a679103bcf34ef0740e
SHA512 77df7e98d28b95da55bf79358617f5d9f706e9040d92f3b9ce76471d0e2c866e8ed40024e969ecba6e1ac34afd2eee7f986968c3ad1824936326bf8719ed4d4f

memory/2956-81-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1664-84-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1448-90-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 d6a84b5098fb2b5fdb0ba22cc573e5d9
SHA1 624ea59d1ae36511b48edad0c17bc71e157528e9
SHA256 f389cfae9c01f546b3c0aa3da9965ac1c90a4efaf3f71a679103bcf34ef0740e
SHA512 77df7e98d28b95da55bf79358617f5d9f706e9040d92f3b9ce76471d0e2c866e8ed40024e969ecba6e1ac34afd2eee7f986968c3ad1824936326bf8719ed4d4f

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 d6a84b5098fb2b5fdb0ba22cc573e5d9
SHA1 624ea59d1ae36511b48edad0c17bc71e157528e9
SHA256 f389cfae9c01f546b3c0aa3da9965ac1c90a4efaf3f71a679103bcf34ef0740e
SHA512 77df7e98d28b95da55bf79358617f5d9f706e9040d92f3b9ce76471d0e2c866e8ed40024e969ecba6e1ac34afd2eee7f986968c3ad1824936326bf8719ed4d4f

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 17:00

Reported

2023-10-15 17:03

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 5008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 5008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2132 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2132 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2132 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 5008 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 5008 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 5008 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 5008 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 5008 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe
PID 3700 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 5008 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 5008 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 3700 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1656 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1656 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1656 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe

"C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe

"C:\Users\Admin\AppData\Local\Temp\0f76a99d83114f309b75e6a208a467a0_exe32_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2132-12-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3700-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/5008-13-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/3700-22-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1320-24-0x0000000000710000-0x0000000000711000-memory.dmp

memory/4892-26-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 18cf60b076bfbd1c429401461d092275
SHA1 fd96608a524545406953345c8948e21cc5fadfb1
SHA256 058257998695405ae9a6bb6588aa342db10c57bdcb8c535ec77a0135ee086067
SHA512 56016b548cf50ba1596f1df83a92d85300f5a64e4e09d7f473170523dbe7dbfb4eb308e355532d06d245bd85a01e289f0f555cf9301a42d8ffa57dbb216b5897

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 18cf60b076bfbd1c429401461d092275
SHA1 fd96608a524545406953345c8948e21cc5fadfb1
SHA256 058257998695405ae9a6bb6588aa342db10c57bdcb8c535ec77a0135ee086067
SHA512 56016b548cf50ba1596f1df83a92d85300f5a64e4e09d7f473170523dbe7dbfb4eb308e355532d06d245bd85a01e289f0f555cf9301a42d8ffa57dbb216b5897

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 18cf60b076bfbd1c429401461d092275
SHA1 fd96608a524545406953345c8948e21cc5fadfb1
SHA256 058257998695405ae9a6bb6588aa342db10c57bdcb8c535ec77a0135ee086067
SHA512 56016b548cf50ba1596f1df83a92d85300f5a64e4e09d7f473170523dbe7dbfb4eb308e355532d06d245bd85a01e289f0f555cf9301a42d8ffa57dbb216b5897

memory/3496-47-0x0000000000820000-0x0000000000821000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3920-51-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4892-54-0x0000000000400000-0x000000000042C000-memory.dmp