Malware Analysis Report

2025-04-03 09:54

Sample ID 250207-232nsatncp
Target 98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
SHA256 98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27

Threat Level: Known bad

The file 98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

Netwire family

NetWire RAT payload

WarzoneRat, AveMaria

Warzonerat family

Netwire

Warzone RAT payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-07 23:07

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-07 23:07

Reported

2025-02-08 00:08

Platform

win7-20241010-en

Max time kernel

121s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2532 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2532 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2532 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2532 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 432 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 432 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 432 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 432 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 432 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 432 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 432 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 432 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 432 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 432 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2604 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2604 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2604 wrote to memory of 2740 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2740 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2740 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2740 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2740 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2604 wrote to memory of 456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2604 wrote to memory of 456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2604 wrote to memory of 456 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 456 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 456 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 456 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 456 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 456 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 456 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 456 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 456 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 456 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 456 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2932 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe

"C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe

"C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2440C284-9800-49D3-9AA2-967791019D07} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/432-0-0x00000000011D0000-0x000000000133B000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2532-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2916-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2916-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2916-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/432-26-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2916-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/432-41-0x00000000011D0000-0x000000000133B000-memory.dmp

memory/2560-42-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2560-44-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2424-47-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 7b1b86694c493845d697c4bee12e5436
SHA1 6c2ed62a550b1c699fc0324957463b47f04c9b1b
SHA256 074eb34b998cf3414eac1672906dd8e4d89739055e82edb37a4314e663681b41
SHA512 f4d61ed42294190361e958cd4e26ca63d96463f80c569c2bae4f415e8be9d1301f327e1fa56e6969b825af8b12054c36b4d9bf632f2dd112c7fe986bd82d544b

memory/2740-54-0x0000000000A50000-0x0000000000BBB000-memory.dmp

memory/1640-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2740-83-0x0000000000A50000-0x0000000000BBB000-memory.dmp

memory/584-86-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/1208-91-0x0000000000400000-0x000000000042C000-memory.dmp

memory/456-118-0x0000000000A50000-0x0000000000BBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-07 23:07

Reported

2025-02-09 12:57

Platform

win10v2004-20250207-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3232 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3232 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3612 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3612 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3612 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 3232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 3232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 3232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 3232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe
PID 2072 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\schtasks.exe
PID 2072 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3452 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3452 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3452 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3452 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3452 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3452 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3452 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2528 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3452 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3452 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1212 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1212 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1212 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1212 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1212 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1212 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1212 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1212 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1212 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe

"C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe

"C:\Users\Admin\AppData\Local\Temp\98bad83582b64d95b3ae7a2b969fcd389ba94599a4701787090c973e6cf33b27.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUZBNEFBOUQtQjNBQi00NThFLTg3RkYtRDYxMDlEMEE4OTk2fSIgdXNlcmlkPSJ7MkUzMjY4QjEtQTkyOS00Q0RFLTg1QzYtNTUzRUFFRjQzNjkyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NUU3MzUyNjgtNTIxNS00M0QwLUJDOTAtMjAwQ0E5RTZDQjgwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDU2OTMxNTgyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.20.12.74:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
IT 91.80.49.22:80 tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/3232-0-0x0000000000F10000-0x000000000107B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3612-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2072-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2072-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3232-25-0x0000000000F10000-0x000000000107B000-memory.dmp

memory/3232-14-0x0000000004010000-0x0000000004011000-memory.dmp

memory/2248-26-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4176-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 28d2cbb0751720fb563e525326aa0faa
SHA1 26e95a68d0b24aea0c4ee1b771196d2e3fd87c62
SHA256 d3c811a2d259b2315265f52123f0188132a5b07fb8ba80c53b9742bd1857ef63
SHA512 31110e4e321f8f56ca9487e1619d762180cc9c6cecc37e7e135258d200026f3da44badb03d5cf7c5f63a5bc872aaca96ff35cdb50e8b2d54df0619835af8a49d

memory/3452-30-0x0000000000C10000-0x0000000000D7B000-memory.dmp

memory/3452-48-0x0000000000C10000-0x0000000000D7B000-memory.dmp

memory/2528-47-0x0000000000370000-0x000000000038D000-memory.dmp

memory/2528-40-0x0000000000370000-0x000000000038D000-memory.dmp

memory/3616-49-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2984-54-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2984-56-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4176-61-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1212-66-0x0000000000C10000-0x0000000000D7B000-memory.dmp

memory/1212-77-0x0000000000C10000-0x0000000000D7B000-memory.dmp

memory/1724-78-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/400-82-0x0000000000400000-0x000000000042C000-memory.dmp

memory/400-85-0x0000000000400000-0x000000000042C000-memory.dmp