Malware Analysis Report

2025-01-18 16:35

Sample ID 241202-w7d6dsslfq
Target 6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
SHA256 6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4
Tags
netwire warzonerat botnet discovery infostealer rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4

Threat Level: Known bad

The file 6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe was found to be: Known bad.

Malicious Activity Summary

netwire warzonerat botnet discovery infostealer rat stealer

NetWire RAT payload

Warzonerat family

Netwire

WarzoneRat, AveMaria

Netwire family

Warzone RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 18:33

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 18:33

Reported

2024-12-02 18:35

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3564 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3564 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2960 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2960 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2960 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3564 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 3564 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 3564 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 3564 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 3564 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 1760 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 3564 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 3564 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 812 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 812 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 812 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 812 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 812 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 812 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 812 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1624 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 812 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1372 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1372 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1372 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1372 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1372 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2960 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1372 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1372 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe

"C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe

"C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

memory/3564-0-0x00000000003C0000-0x000000000052B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2960-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3564-14-0x00000000043F0000-0x00000000043F1000-memory.dmp

memory/1760-15-0x0000000000ED0000-0x0000000000EED000-memory.dmp

memory/1760-23-0x0000000000ED0000-0x0000000000EED000-memory.dmp

memory/3564-25-0x00000000003C0000-0x000000000052B000-memory.dmp

memory/3908-26-0x0000000000970000-0x0000000000971000-memory.dmp

memory/1008-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 f443c510acbc40bd84c3d73b5bafe473
SHA1 901fe30b70c643d5fca5d6f5feea7ec60f93b6ae
SHA256 e8c3d3c3fc6194f273306e40f95b9664794573c911cec0b76f3b33d59ad94093
SHA512 691713428f8c123f5ab0030d3e58cb64226e81e03528e75a00b3dc19efb264623acee8c1d0ea961ee6384a1419b3ab107beaa93a11f05b68e118a8939e232470

memory/812-31-0x0000000000F00000-0x000000000106B000-memory.dmp

memory/1624-40-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1624-48-0x0000000000400000-0x000000000041D000-memory.dmp

memory/812-49-0x0000000000F00000-0x000000000106B000-memory.dmp

memory/996-50-0x0000000001060000-0x0000000001061000-memory.dmp

memory/1008-52-0x0000000000400000-0x000000000042C000-memory.dmp

memory/748-54-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1372-75-0x0000000000F00000-0x000000000106B000-memory.dmp

memory/624-77-0x0000000000950000-0x0000000000951000-memory.dmp

memory/1508-81-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 18:33

Reported

2024-12-02 18:35

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1648 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1648 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1648 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1792 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1792 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1792 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1792 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 1648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 1648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 1648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 1648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 1648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3000 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3000 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3000 wrote to memory of 1848 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1848 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1848 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1848 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1848 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1848 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1848 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1848 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1848 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1848 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1848 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 492 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3000 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3000 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3000 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2148 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2148 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2148 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe

"C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe

"C:\Users\Admin\AppData\Local\Temp\6e8dda32fd0339c74b209a5082e1737d44678dc451bc42ee376a760857314ff4N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {2463EE59-B3D9-47EA-907C-41204DF16BBD} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/1648-0-0x00000000008A0000-0x0000000000A0B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1792-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1648-26-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2672-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2672-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2672-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2672-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1648-41-0x00000000008A0000-0x0000000000A0B000-memory.dmp

memory/2676-42-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2676-44-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/3048-47-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 5128e5146b3512caaa3ecfd8ea2a699c
SHA1 3d289583488ff1311abb27ec5eb030ac62cba2fd
SHA256 1a531bb0106f318aeb99c5cab9020bdbe1523c48b81f63d5456faf15e9bd3739
SHA512 e656bc7d3f953e1cbde28ea5696d9df4815ea3456c0c6a7cc62bd4d82b1d6382dc741ce6302e0763d836165d024060e02cf7a659d83f318e11d833765e806bbc

memory/1848-51-0x0000000000160000-0x00000000002CB000-memory.dmp

memory/492-76-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1848-80-0x0000000000160000-0x00000000002CB000-memory.dmp

memory/3048-81-0x0000000000400000-0x000000000042C000-memory.dmp

memory/704-84-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2632-88-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2148-99-0x0000000000160000-0x00000000002CB000-memory.dmp

memory/1532-106-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1532-115-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2148-116-0x0000000000160000-0x00000000002CB000-memory.dmp

memory/2060-120-0x0000000000270000-0x0000000000271000-memory.dmp