Malware Analysis Report

2024-10-19 10:29

Sample ID 240409-3fpw5shg82
Target cc51043efea2a8b3139f3a593e1b4a36
SHA256 bd2545c566219e9645da690ae6da0f994ab548c8305a43796506f2879bbe8f66
Tags
rat netwire warzonerat botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd2545c566219e9645da690ae6da0f994ab548c8305a43796506f2879bbe8f66

Threat Level: Known bad

The file cc51043efea2a8b3139f3a593e1b4a36 was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet infostealer stealer

NetWire RAT payload

Netwire

Netwire family

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 23:27

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 23:27

Reported

2024-04-09 23:50

Platform

win7-20240215-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2080 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2080 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2080 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3004 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3004 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3004 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3004 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2080 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 2536 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 288 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 288 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 288 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1436 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1436 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1436 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1436 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1436 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1436 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1436 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1436 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1436 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1436 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1120 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1120 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 288 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 288 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 288 wrote to memory of 344 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 344 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 344 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 344 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 344 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 344 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe

"C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe

"C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {18B04BE8-D2BD-4EF3-A981-D5259C7F100E} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3004-23-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2536-38-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2536-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2536-28-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2536-26-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2080-25-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/2792-42-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2792-40-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2616-46-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2616-47-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 51d91f0378fed988dadee55c5fa60f9e
SHA1 f6065151d4d60ea36425638ee5f5cd6d8bb9209d
SHA256 f1fe1a10069a7dc26efd33ac0c1612ee6288bba2d4c92ed04fc14771b2ebd330
SHA512 b9d6d00c98afe2288f64ca3db413e8092d3bfc5e15c66c14cf005f39b9e82ccaa0b8bf6edcb18cc338fcb8dbfc5dfbba9322d502c907fd9e56c9082df8cd3091

memory/1120-71-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1120-82-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1120-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1944-85-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2656-91-0x0000000000400000-0x000000000042C000-memory.dmp

memory/344-119-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 23:27

Reported

2024-04-09 23:52

Platform

win10v2004-20240226-en

Max time kernel

167s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2208 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2208 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3100 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3100 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3100 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2208 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2208 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2208 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2208 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 2208 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe
PID 116 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\schtasks.exe
PID 116 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 5052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 5052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 5052 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 5052 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 5052 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 5052 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 5052 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 5052 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 5052 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 5052 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 936 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2488 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2488 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2488 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2488 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2488 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2488 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2488 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2488 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3272 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe

"C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe

"C:\Users\Admin\AppData\Local\Temp\cc51043efea2a8b3139f3a593e1b4a36.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3100-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/116-13-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2208-15-0x0000000002770000-0x0000000002771000-memory.dmp

memory/116-22-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3592-24-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/4468-26-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4468-27-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 c4977c9320c9ba60b086a3eee6b7187f
SHA1 1ed2e66f3a208eb395c0649cc099b4a335a4ac8e
SHA256 a22f280be9c7ab1bffd71dc945c7af617c6779e2c563e9cdac158be23c906e47
SHA512 1a26347b5b73035aff62000210e546c9afed70faf61ee75c05c3c8da2e51a55d73de9d0e00567cd67f40d5eed675bd64b0f58e47064cb9d834a038fd4a082902

memory/4064-48-0x0000000001210000-0x0000000001211000-memory.dmp

memory/2780-52-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3272-63-0x0000000000170000-0x000000000018D000-memory.dmp

memory/3272-73-0x0000000000170000-0x000000000018D000-memory.dmp

memory/4460-74-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/668-79-0x0000000000400000-0x000000000042C000-memory.dmp