Malware Analysis Report

2025-04-03 09:54

Sample ID 250202-jtlbbsvkak
Target eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
SHA256 eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09

Threat Level: Known bad

The file eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

Netwire

Warzonerat family

NetWire RAT payload

Netwire family

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-02 07:57

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-02 07:57

Reported

2025-02-02 07:59

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2804 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2804 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2804 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2804 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2688 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2944 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2944 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2944 wrote to memory of 2028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2028 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2944 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2944 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2944 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 948 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 948 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 948 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 948 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 948 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 948 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe

"C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe

"C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CC92B720-8D19-465C-B5D3-A3AC7E18003F} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/2688-0-0x00000000003B0000-0x000000000051B000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2804-25-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2636-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2636-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2636-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2636-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2688-26-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/2688-41-0x00000000003B0000-0x000000000051B000-memory.dmp

memory/2624-42-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2624-44-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2276-47-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 a1680c56773fbd301d611f5950d82028
SHA1 29d6c32d0f597dd7e3675f68bf184edd755b47f8
SHA256 794915b19977465e707b8858dacaf74c08be46205b0ffa36ec883d3ca90f61d3
SHA512 f39439068430179c5373ba243164567e95c06465f563a108cb7300e029029e5174a90d25b933d0a2fd113f6325e00730ee6b18dff0b6d2ac9782aaf9900edb49

memory/2028-50-0x0000000001160000-0x00000000012CB000-memory.dmp

memory/1620-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2028-79-0x0000000001160000-0x00000000012CB000-memory.dmp

memory/2136-82-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1944-87-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2276-88-0x0000000000400000-0x000000000042C000-memory.dmp

memory/948-98-0x0000000001160000-0x00000000012CB000-memory.dmp

memory/948-115-0x0000000001160000-0x00000000012CB000-memory.dmp

memory/2412-119-0x0000000000130000-0x0000000000131000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-02 07:57

Reported

2025-02-02 07:59

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4884 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4884 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2124 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2124 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2124 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 4884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 4884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 4884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 4884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe
PID 2904 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 4884 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 4884 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4496 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4496 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4496 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4496 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4496 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4496 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4496 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4872 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4496 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4496 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4872 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1464 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1464 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1464 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1464 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1464 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe

"C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe

"C:\Users\Admin\AppData\Local\Temp\eebc6d2d6415ea6db6aa178be887d3d4c4588a367c3e363f07b6c09048532c09.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp

Files

memory/4884-0-0x0000000000FA0000-0x000000000110B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2124-13-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4884-14-0x0000000000F30000-0x0000000000F31000-memory.dmp

memory/2904-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2904-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4884-25-0x0000000000FA0000-0x000000000110B000-memory.dmp

memory/868-26-0x0000000001330000-0x0000000001331000-memory.dmp

memory/3904-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 d591d9bd98c4209322bc84f6349d49cf
SHA1 c9c62c1b1cc7177caadaff3f3a2432a92340644d
SHA256 84942d3626949ed7c28e2caddd88f29ec0324fad9fbe1cbc0feacf9e757e6cc9
SHA512 68e4a06c540f327d18af3d19ee2c54910799f991e676106c79af136e660bfa774b0fa41371d5a0cea7643e7dd067490e26c1acacb5a0b8552310f6cb6a525f20

memory/4496-30-0x0000000000CB0000-0x0000000000E1B000-memory.dmp

memory/4496-48-0x0000000000CB0000-0x0000000000E1B000-memory.dmp

memory/1444-49-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/3904-51-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4924-53-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1464-64-0x0000000000CB0000-0x0000000000E1B000-memory.dmp

memory/1464-75-0x0000000000CB0000-0x0000000000E1B000-memory.dmp

memory/1660-77-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2256-81-0x0000000000400000-0x000000000042C000-memory.dmp