Overview

overview

10

Static

static

10

3c1fe12b7f...6N.exe

windows11-21h2-x64

10

Resubmissions

11-11-2024 01:41

241111-b4ktjsypcw 10

09-10-2024 03:57

241009-eh9gkaxgma 10

07-10-2024 08:35

241007-kg6beazeja 10

Analysis

  • max time kernel
    1049s
  • max time network
    1049s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-10-2024 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c1fe12b7f390562bb38024e7660275084507eea76ff9243595eb1c72deb8176N.exe

  • Size

    1.4MB

  • MD5

    b7529a3fbd36999f2d817b46752fbdc0

  • SHA1

    2282e637522b58ccf58e27a6087acbf604ba642c

  • SHA256

    3c1fe12b7f390562bb38024e7660275084507eea76ff9243595eb1c72deb8176

  • SHA512

    01ef2e1aa7809337a9ff154e34fe792536598402ff6befaa7b9992f225d799f12b6d49ef2d4da2df70debbc81cf785498eeeba059b16d0d2e89d4cd2aaf6dcac

  • SSDEEP

    24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYv:Fo0c++OCokGs9Fa+rd1f26RNYv

Score
10/10
netwirewarzoneratbotnetdiscoveryinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 36 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Executes dropped EXE 53 IoCs
  • AutoIT Executable 30 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c1fe12b7f390562bb38024e7660275084507eea76ff9243595eb1c72deb8176N.exe
    "C:\Users\Admin\AppData\Local\Temp\3c1fe12b7f390562bb38024e7660275084507eea76ff9243595eb1c72deb8176N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3200
    • C:\Users\Admin\AppData\Local\Temp\3c1fe12b7f390562bb38024e7660275084507eea76ff9243595eb1c72deb8176N.exe
      "C:\Users\Admin\AppData\Local\Temp\3c1fe12b7f390562bb38024e7660275084507eea76ff9243595eb1c72deb8176N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3156
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4296
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:3416
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1476
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:784
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:2492
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1660
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:924
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResumeUnblock.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1356
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:4716
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2208
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2820
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:1780
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:4544
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      PID:4232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4900
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:2848
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:3216
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2988
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5088
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:4152
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:1368
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1684
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5044
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:844
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:4988
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1052
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3364
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:1600
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:1652
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1616
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2568
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3332
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:4660
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:4652
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4712
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3372
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:2476
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:4092
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2320
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4780
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:1200
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:880
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2148
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3528
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2672
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:5064
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:3920
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1164
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3476
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:3440
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:3960
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4628
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:2236
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:1796
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      PID:4636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:712
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2272
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:5084
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:3708
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1632
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:768
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:2420
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:5104
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2080
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:928
  • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:3856
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      PID:1100
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4460
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:4120
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TCD10F2.tmp\gb.xsl
      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      Filesize

      132KB

      MD5

      6087bf6af59b9c531f2c9bb421d5e902

      SHA1

      8bc0f1596c986179b82585c703bacae6d2a00316

      SHA256

      3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

      SHA512

      c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      332B

      MD5

      90152546c44f9b02de4ae33fad2f7e9f

      SHA1

      b8d236f3a6a25e531fafabbc2a8e0135d86096bc

      SHA256

      e3377f322e18f3fa6eef8977f0331513ebfed8d7a45b57c91ce253feaba5cd70

      SHA512

      c798413fd9d0463e75022489ce67881945ec1d4fd3685ad3b6c9bdbfd132cbd2c6ab4186f18fc0d6434a05eca6379526af623f19243b82c3c5dc6478720bb9b5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      2KB

      MD5

      67f26934c9a1fe93847af0cc0b1d9dcd

      SHA1

      f304a8e2b92afe77813ce0f2d6aff77b5da0b791

      SHA256

      0036a4ce5236b3803e4398b32371fb473b4148c9b33d29a84bf6c284ad6ae9b5

      SHA512

      ffb9c593a539a433d9b4b60bb3bc21b5c751dc2cb84b224aa6f0bfad83fc4dceec7a7304f8a60cb9293afdeef905cfadc81ea2cb48ae19a4842717ce0199188f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      2KB

      MD5

      48b6d54dc190f7fdfdda2944066a1d50

      SHA1

      db028df9e248ea99dbbb247b5f4482535c28e85c

      SHA256

      bbdfb133e0b23b58772e689fec97337c7ea7e7f4def0bb60ea8c34faae7e4e54

      SHA512

      6529d34f6e5c10122bcc0ae0fb517d6fd99ad059f480ddd1b87bd8598e74691b21b060fa3a63e81cffcc1e36a62b3607626ecb7cba2fb4a36dd2d54774bdb717

      Download Submit

    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      Filesize

      1.4MB

      MD5

      faaa1873f4e63f5bc32243d02625ac72

      SHA1

      d114486a33a03f96039e47093f79780402598464

      SHA256

      dc32aebc5c4f4c106090563df81ddf2403e5f337def9365f26dfffb4d116a4ff

      SHA512

      abcc3001fe7c76535f1d0f01c291d72b791cdcf962e0434658d639053c87bbb96801095fa2e219f2a285fac9cd18d6b14fa4c2029a6b6ed7f0206dd16b9a58a9

      Download Submit

    • memory/844-822-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/844-808-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1200-1109-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1200-1092-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1356-89-0x00007FFBF6230000-0x00007FFBF6240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1356-88-0x00007FFBF6230000-0x00007FFBF6240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1356-90-0x00007FFBF6230000-0x00007FFBF6240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1356-92-0x00007FFBF6230000-0x00007FFBF6240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1356-91-0x00007FFBF6230000-0x00007FFBF6240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1356-94-0x00007FFBF3CF0000-0x00007FFBF3D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1356-93-0x00007FFBF3CF0000-0x00007FFBF3D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1476-53-0x0000000001C60000-0x0000000001C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-869-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1600-883-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1660-80-0x0000000000E30000-0x0000000000E31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1780-670-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2076-52-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2076-34-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2236-1352-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2420-1493-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2420-1507-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2476-1029-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2476-1014-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2492-83-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2848-712-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3108-78-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3156-26-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3200-31-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3200-28-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3220-14-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3220-25-0x0000000000CC0000-0x0000000000E2B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3220-0-0x0000000000CC0000-0x0000000000E2B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3416-57-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3440-1265-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3440-1251-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3856-1593-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3868-12-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4020-15-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/4020-23-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/4152-766-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4152-754-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4660-947-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4712-629-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4872-43-0x0000000000350000-0x000000000036D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/4872-51-0x0000000000350000-0x000000000036D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/5064-1171-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5064-1187-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5084-1414-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5084-1429-0x0000000000CF0000-0x0000000000E5B000-memory.dmp

      Filesize

      1.4MB

      Download