Malware Analysis Report

2025-01-18 16:34

Sample ID 241126-exycvatqcw
Target d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8
SHA256 d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8

Threat Level: Known bad

The file d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8 was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

Netwire

Warzonerat family

WarzoneRat, AveMaria

NetWire RAT payload

Netwire family

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 04:19

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 04:19

Reported

2024-11-26 04:22

Platform

win7-20240903-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2736 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2736 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2736 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2664 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2736 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 2736 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 2736 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 2736 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 2736 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 2736 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 2736 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2736 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2736 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2736 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2152 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2152 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2152 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2152 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 2176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2176 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2176 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2176 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2176 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe

"C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe

"C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {694DAEB1-B0FB-42A5-B131-8A9E3C345F04} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/2736-0-0x0000000000C00000-0x0000000000D6B000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2664-25-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2736-26-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2772-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2736-41-0x0000000000C00000-0x0000000000D6B000-memory.dmp

memory/2772-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2772-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2772-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/3064-44-0x0000000000160000-0x0000000000161000-memory.dmp

memory/3064-42-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 704176b8ad128584f3a98dce04c43152
SHA1 aa3b493e1fc7e7466adb8355dbe42e3308f4d8b1
SHA256 e67fd0f0c29ebceab6dda07a96ecb62009a971f36d355040ee3ea4e85202a6c6
SHA512 ac7d77907c90a46e4aa774954ddd7601eab4f9d39425d67979cf2ab9828575f5efa52de50e228355f32ba0d6a10185b8003b19d687c7aa0ecbbd9d3a25121762

memory/2152-49-0x00000000011A0000-0x000000000130B000-memory.dmp

memory/2868-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2868-68-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2868-77-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2152-78-0x00000000011A0000-0x000000000130B000-memory.dmp

memory/2276-81-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2804-84-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2500-86-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2804-89-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2176-113-0x00000000011A0000-0x000000000130B000-memory.dmp

memory/968-117-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2656-155-0x00000000011A0000-0x000000000130B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 04:19

Reported

2024-11-26 04:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3852 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3852 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3852 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3980 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3980 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3980 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3852 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 3852 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 3852 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 3852 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 3852 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe
PID 3848 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 3852 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 3852 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 3848 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4352 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4352 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3400 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4352 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4352 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3400 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2916 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2916 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2916 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2916 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2916 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2916 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2916 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1052 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1988 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3424 wrote to memory of 116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe

"C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe

"C:\Users\Admin\AppData\Local\Temp\d1bc76a7653a663f11a9b42f65524bcfc6fab4dba2b84a09815b14bc63c8dbc8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/3852-0-0x0000000000680000-0x00000000007EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3980-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3852-14-0x0000000004900000-0x0000000004901000-memory.dmp

memory/3848-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3848-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3852-25-0x0000000000680000-0x00000000007EB000-memory.dmp

memory/2588-26-0x00000000015F0000-0x00000000015F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 4d7550d0fcc7d88c861617ebb83c4bae
SHA1 67e2cc73e22c6ade7144a8d11a37d54f660ec064
SHA256 ee4952cb456fb9357c2ea537f906795c5a9358892982266bb7435010f50d56f0
SHA512 18bea1d0a622e376eb8a0353a78f3ba04cff448494a5fa39ed2133672b47d30b2db1c04a7a02c9f594a82a98d179e8331cdbffc8292a94e94e10bfaa411d45e0

memory/4352-29-0x0000000000E70000-0x0000000000FDB000-memory.dmp

memory/3400-38-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/3400-46-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/4352-47-0x0000000000E70000-0x0000000000FDB000-memory.dmp

memory/3216-48-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1416-49-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/3328-52-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1052-64-0x0000000000A60000-0x0000000000A7D000-memory.dmp

memory/1052-73-0x0000000000A60000-0x0000000000A7D000-memory.dmp

memory/2916-74-0x0000000000E70000-0x0000000000FDB000-memory.dmp

memory/2244-75-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3216-77-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1016-79-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3424-106-0x0000000000E70000-0x0000000000FDB000-memory.dmp