Malware Analysis Report

2024-10-19 10:25

Sample ID 240906-cb16hazgqf
Target f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
SHA256 f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d

Threat Level: Known bad

The file f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

NetWire RAT payload

WarzoneRat, AveMaria

Netwire

Netwire family

Warzone RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-06 01:54

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-06 01:54

Reported

2024-09-06 01:57

Platform

win7-20240903-en

Max time kernel

148s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1448 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1448 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1448 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 1448 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 2872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1448 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1448 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1448 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2792 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2792 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2792 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1956 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1956 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1956 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1956 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1852 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1984 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1984 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1984 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1984 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1984 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1984 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1984 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1984 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1984 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1984 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2300 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe

"C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe

"C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {890CD5B2-5E29-49AE-B389-2A98D0A4D0F0} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/1448-0-0x0000000000EC0000-0x000000000102B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2336-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1448-26-0x0000000000810000-0x0000000000811000-memory.dmp

memory/2872-39-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2872-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2872-29-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2872-27-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/1448-41-0x0000000000EC0000-0x000000000102B000-memory.dmp

memory/2788-42-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2788-44-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2020-47-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2020-48-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 2d4fb824cd296c6dad1d3073db15b1b8
SHA1 f59373b569ca2c584b5013f39fdacd302ba07f46
SHA256 80b76ee70fc800a68ebb51704d3c899d16b3348547dd3e8d9ea84950d514d4a9
SHA512 397179b12f13f9702f8714a815576aa5fc31294f6e816e5e4a14ae990815e6c33e0166879adbf092298d854120588e5d44cb2d85e645e174fc0a8ef782c46686

memory/1956-54-0x0000000000AD0000-0x0000000000C3B000-memory.dmp

memory/1852-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1852-73-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1852-83-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1956-84-0x0000000000AD0000-0x0000000000C3B000-memory.dmp

memory/1844-87-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2620-92-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1984-118-0x0000000000AD0000-0x0000000000C3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-06 01:54

Reported

2024-09-06 01:57

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 712 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 712 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3376 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3376 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3376 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe
PID 2636 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2180 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2180 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1048 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4552 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4552 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4552 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4548 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe

"C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe

"C:\Users\Admin\AppData\Local\Temp\f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
NL 52.178.17.2:443 tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

memory/712-0-0x00000000006D0000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3376-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2636-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/712-14-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/2636-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/712-25-0x00000000006D0000-0x000000000083B000-memory.dmp

memory/1572-26-0x0000000001490000-0x0000000001491000-memory.dmp

memory/1228-28-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1228-29-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 285a0e471f5dba717f02b1ec0ef29937
SHA1 cb1a21a051afc8848ecbe7882604a56015c2b956
SHA256 89081830117d2821e50198c5b69438d0ea7e9ffd7b0ae2640e2bcb9416cfb000
SHA512 8c18e89b2304ce64dfbf23f521d446ddbdee49251363deab7331003700330558a6ac5ad742b606d4174b11a9f99f60f4ea0a7e12d7a4e26825cbf3dd9b44693c

memory/2180-34-0x0000000000C80000-0x0000000000DEB000-memory.dmp

memory/1048-51-0x0000000000C80000-0x0000000000DEB000-memory.dmp

memory/2180-53-0x0000000000C80000-0x0000000000DEB000-memory.dmp

memory/4856-54-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/3576-58-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4552-79-0x0000000000C80000-0x0000000000DEB000-memory.dmp

memory/1740-81-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/1388-84-0x0000000000400000-0x000000000042C000-memory.dmp