netwire | 785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 04:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe
Size

1.4MB
MD5

35ef5bf1faabd102f3b11517c5e4d480
SHA1

b704e1c962e56f52c76a75e15dd5b1f554495bc0
SHA256

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65
SHA512

e5ebd92d732890513c68a611edc538b1ba1e04de70df2b152dc0d27a8d5dca9aaca768163d3386ca8a40cf56b704b146baa4ed6d1d39f0ec52bf875f3e22d59b
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWY8:Fo0c++OCokGs9Fa+rd1f26RNY8

Score

10^/10

netwire warzonerat botnet discovery infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral2/memory/512-0-0x0000000000890000-0x00000000009FB000-memory.dmp	netwire
behavioral2/files/0x000c000000023b8d-5.dat	netwire
behavioral2/memory/116-12-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/512-25-0x0000000000890000-0x00000000009FB000-memory.dmp	netwire
behavioral2/memory/1324-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/files/0x0007000000023c8a-33.dat	netwire
behavioral2/memory/1748-34-0x0000000000A40000-0x0000000000BAB000-memory.dmp	netwire
behavioral2/memory/1748-52-0x0000000000A40000-0x0000000000BAB000-memory.dmp	netwire
behavioral2/memory/1124-57-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/996-15-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/996-23-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe

Executes dropped EXE 6 IoCs

pid	Process
116	Blasthost.exe
1324	Host.exe
1748	RtDCpl64.exe
1124	Blasthost.exe
2040	RtDCpl64.exe
3332	RtDCpl64.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/512-0-0x0000000000890000-0x00000000009FB000-memory.dmp	autoit_exe
behavioral2/memory/512-25-0x0000000000890000-0x00000000009FB000-memory.dmp	autoit_exe
behavioral2/files/0x0007000000023c8a-33.dat	autoit_exe
behavioral2/memory/1748-34-0x0000000000A40000-0x0000000000BAB000-memory.dmp	autoit_exe
behavioral2/memory/1748-52-0x0000000000A40000-0x0000000000BAB000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 996	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	90
PID 1748 set thread context of 2040	1748	RtDCpl64.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blasthost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1668	schtasks.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 116	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	86
PID 512 wrote to memory of 116	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	86
PID 512 wrote to memory of 116	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	86
PID 116 wrote to memory of 1324	116	Blasthost.exe	88
PID 116 wrote to memory of 1324	116	Blasthost.exe	88
PID 116 wrote to memory of 1324	116	Blasthost.exe	88
PID 512 wrote to memory of 996	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	90
PID 512 wrote to memory of 996	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	90
PID 512 wrote to memory of 996	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	90
PID 512 wrote to memory of 996	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	90
PID 512 wrote to memory of 996	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	90
PID 996 wrote to memory of 208	996	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	91
PID 996 wrote to memory of 208	996	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	91
PID 996 wrote to memory of 208	996	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	91
PID 512 wrote to memory of 2728	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	93
PID 512 wrote to memory of 2728	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	93
PID 512 wrote to memory of 2728	512	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	93
PID 996 wrote to memory of 208	996	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	91
PID 996 wrote to memory of 208	996	785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe	91
PID 1748 wrote to memory of 1124	1748	RtDCpl64.exe	110
PID 1748 wrote to memory of 1124	1748	RtDCpl64.exe	110
PID 1748 wrote to memory of 1124	1748	RtDCpl64.exe	110
PID 1748 wrote to memory of 2040	1748	RtDCpl64.exe	111
PID 1748 wrote to memory of 2040	1748	RtDCpl64.exe	111
PID 1748 wrote to memory of 2040	1748	RtDCpl64.exe	111
PID 1748 wrote to memory of 2040	1748	RtDCpl64.exe	111
PID 1748 wrote to memory of 2040	1748	RtDCpl64.exe	111
PID 2040 wrote to memory of 4696	2040	RtDCpl64.exe	112
PID 2040 wrote to memory of 4696	2040	RtDCpl64.exe	112
PID 2040 wrote to memory of 4696	2040	RtDCpl64.exe	112
PID 1748 wrote to memory of 1668	1748	RtDCpl64.exe	114
PID 1748 wrote to memory of 1668	1748	RtDCpl64.exe	114
PID 1748 wrote to memory of 1668	1748	RtDCpl64.exe	114
PID 2040 wrote to memory of 4696	2040	RtDCpl64.exe	112
PID 2040 wrote to memory of 4696	2040	RtDCpl64.exe	112

C:\Users\Admin\AppData\Local\Temp\785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe
"C:\Users\Admin\AppData\Local\Temp\785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
    "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe
  "C:\Users\Admin\AppData\Local\Temp\785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2728

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1668

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

wealth.warzonedns.com

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

72.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.209.201.84.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=368971FA413B6073210064E6403D6121; domain=.bing.com; expires=Wed, 12-Nov-2025 04:34:03 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DF80B4CE7466470AB22E08FF188C67B8 Ref B: LON601060108034 Ref C: 2024-10-18T04:34:03Z
date: Fri, 18 Oct 2024 04:34:03 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=368971FA413B6073210064E6403D6121

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=hsE3cW44R1ApCjeXSkpBo00OUWOStCVDwxq8IMGvajI; domain=.bing.com; expires=Wed, 12-Nov-2025 04:34:03 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0E16AB1A6E124AE7A749CB4B76429A09 Ref B: LON601060108034 Ref C: 2024-10-18T04:34:03Z
date: Fri, 18 Oct 2024 04:34:03 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=368971FA413B6073210064E6403D6121; MSPTC=hsE3cW44R1ApCjeXSkpBo00OUWOStCVDwxq8IMGvajI

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 95EBBE907DDB4C4E8FC78C9D4F90DB54 Ref B: LON601060108034 Ref C: 2024-10-18T04:34:04Z
date: Fri, 18 Oct 2024 04:34:03 GMT
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 746576
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B8DFDA1686943539CAAE4A750ECA6F3 Ref B: LON601060101052 Ref C: 2024-10-18T04:35:41Z
date: Fri, 18 Oct 2024 04:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 305259
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 52C86AC24F0F4521BC888496FB7EA21A Ref B: LON601060101052 Ref C: 2024-10-18T04:35:41Z
date: Fri, 18 Oct 2024 04:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 761345
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7BDDDD5EAC7F4386920A67EB5F6AF29D Ref B: LON601060101052 Ref C: 2024-10-18T04:35:41Z
date: Fri, 18 Oct 2024 04:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 657438
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 90A840CFBF90428890FB359AACF4D7B3 Ref B: LON601060101052 Ref C: 2024-10-18T04:35:41Z
date: Fri, 18 Oct 2024 04:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 668226
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 725BBE16F3EA4FD5B3E85D3A03A1E778 Ref B: LON601060101052 Ref C: 2024-10-18T04:35:41Z
date: Fri, 18 Oct 2024 04:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 258855
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FE88CC021A8B49B6904A305D1B61A298 Ref B: LON601060101052 Ref C: 2024-10-18T04:35:41Z
date: Fri, 18 Oct 2024 04:35:41 GMT
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Blasthost.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealth.warzonedns.com

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ac78b8a94ed9415d96247a386d74d2dd&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

132.4kB
3.5MB
2561
2554

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

207 B
287 B
3
2

DNS Request

104.219.191.52.in-addr.arpa

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

72.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

72.209.201.84.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

140 B
266 B
2
2

DNS Request

83.210.23.2.in-addr.arpa

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
314 B
2
2

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

128 B
248 B
2
2

DNS Request

wealthyme.ddns.net

DNS Request

wealthyme.ddns.net
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

150 B
268 B
2
2

DNS Request

Wealthy2019.com.strangled.net

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

128 B
248 B
2
2

DNS Request

wealthyme.ddns.net

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

150 B
268 B
2
2

DNS Request

Wealthy2019.com.strangled.net

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

128 B
248 B
2
2

DNS Request

wealthyme.ddns.net

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
140 B
2
1

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

150 B
268 B
2
2

DNS Request

Wealthy2019.com.strangled.net

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

146 B
288 B
2
2

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

128 B
248 B
2
2

DNS Request

wealthyme.ddns.net

DNS Request

wealthyme.ddns.net
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

48.229.111.52.in-addr.arpa

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

150 B
268 B
2
2

DNS Request

Wealthy2019.com.strangled.net

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
340 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

10.27.171.150.in-addr.arpa

DNS Request

10.27.171.150.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

128 B
124 B
2
1

DNS Request

wealthyme.ddns.net

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Blasthost.exe

150 B
268 B
2
2

DNS Request

Wealthy2019.com.strangled.net

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

128 B
248 B
2
2

DNS Request

wealthyme.ddns.net

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

785479593cefc5e8d89e9759dcf33ae41108f85cf654d688a00d0f95eef4ef65N.exe

134 B
280 B
2
2

DNS Request

wealth.warzonedns.com

DNS Request

wealth.warzonedns.com
8.8.8.8:53
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.4MB

MD5
43480173a476ef348242ef8980eae488

SHA1
6c28f5df3f357e7ff2725c15b794e8faeda94458

SHA256
b773f92c0d5db6a1e9332427d24c830d0aec015f1c82d1772149fd61b908969d

SHA512
02f12f180f86a2420aa25139b4414d0e86039f44c608d96025032deb745e3e2aa7f42493804b9bbdb1a745c57ed297ca02bd82bf0a43076c412e521d020598d2

Download Submit
memory/116-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/208-26-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/512-25-0x0000000000890000-0x00000000009FB000-memory.dmp

Filesize
1.4MB

Download
memory/512-0-0x0000000000890000-0x00000000009FB000-memory.dmp

Filesize
1.4MB

Download
memory/512-14-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/996-23-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/996-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1124-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1324-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1748-34-0x0000000000A40000-0x0000000000BAB000-memory.dmp

Filesize
1.4MB

Download
memory/1748-52-0x0000000000A40000-0x0000000000BAB000-memory.dmp

Filesize
1.4MB

Download
memory/4696-54-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request