Malware Analysis Report

2025-04-03 09:53

Sample ID 250216-lnnkls1qcj
Target c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
SHA256 c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def
Tags
netwire warzonerat botnet discovery infostealer rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def

Threat Level: Known bad

The file c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe was found to be: Known bad.

Malicious Activity Summary

netwire warzonerat botnet discovery infostealer rat stealer

Netwire family

Warzonerat family

WarzoneRat, AveMaria

NetWire RAT payload

Netwire

Warzone RAT payload

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

AutoIT Executable

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-16 09:40

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-16 09:40

Reported

2025-02-16 09:42

Platform

win10v2004-20250211-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2004 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2004 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3468 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3468 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3468 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2004 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 2004 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 2004 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 2004 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 2004 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 5080 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2596 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2596 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2596 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2596 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2596 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2596 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2596 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4600 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4600 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2904 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2904 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2904 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2904 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2904 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2904 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2904 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1500 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1500 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUYyNTEyMjktRjZDQy00QjRBLUE3OTYtNkE4Q0NCMUY5MzYwfSIgdXNlcmlkPSJ7Rjk4QTRBNjgtRTBBQy00MzI2LUI3MkQtNDczQjVBNDlCRTA3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Qzc5NzI3QjktNTlDMC00RjU2LThFQzMtRDA0RTU1OThBMkYwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODg4ODcxNTQwIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
GB 104.86.110.120:443 www.bing.com tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 52.252.28.242:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 udp

Files

memory/2004-0-0x0000000000190000-0x00000000002FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/3468-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2004-14-0x0000000003570000-0x0000000003571000-memory.dmp

memory/5080-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/5080-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2004-25-0x0000000000190000-0x00000000002FB000-memory.dmp

memory/2268-26-0x0000000000980000-0x0000000000981000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 a9ce7a77793a391ddf4955c4439f05e1
SHA1 cf531d20033a3a6307d5ebf1952b034b60cabd48
SHA256 b5e8362c1dfcd2b0ef04d9675b7ee957de7809494f8e2f6c164352aa3bd1d433
SHA512 c96963f72f6b9609e5321dc3608bbb9c180ca727e4a2a36924ad93f014039446ddcfe30869bff289badf9221103b20e84afdaaa277493a61d2632003b2e2c757

memory/2596-29-0x0000000000EE0000-0x000000000104B000-memory.dmp

memory/2596-47-0x0000000000EE0000-0x000000000104B000-memory.dmp

memory/768-48-0x0000000000680000-0x0000000000681000-memory.dmp

memory/4132-50-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3980-53-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4132-62-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3980-73-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1500-65-0x0000000000890000-0x00000000008AD000-memory.dmp

memory/1500-74-0x0000000000890000-0x00000000008AD000-memory.dmp

memory/2904-75-0x0000000000EE0000-0x000000000104B000-memory.dmp

memory/1460-76-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/2180-80-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2180-83-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-16 09:40

Reported

2025-02-16 09:42

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1404 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1404 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1404 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1976 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1404 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1404 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1404 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1404 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1404 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1404 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 2696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2620 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2620 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2620 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2620 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2552 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2552 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2552 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1952 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1952 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1952 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1952 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {CD627AD7-4AA4-4376-9FE6-BBAA7B896BC5} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/1404-0-0x00000000012C0000-0x000000000142B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1976-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1404-26-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/2696-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2696-30-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2696-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2696-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1404-41-0x00000000012C0000-0x000000000142B000-memory.dmp

memory/2676-42-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2676-44-0x0000000000120000-0x0000000000121000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 073c791660513a81851c7e2181a334dd
SHA1 f18e0f0ee001aa9704d27afc10852ea4e76a138a
SHA256 6c14d0b9d9b38475ff364e63c07efb2c3e5e6158fa9d4fbf49672ae79b409636
SHA512 06201ac2a3952e463f1e8d70fe539756eb5737e494611fd1e5c8ccac12211f62bc877810d8cf5aee0784a64d2a0e6fe527921e5b809fe164d1ecb448945e81b6

memory/2620-49-0x0000000000B20000-0x0000000000C8B000-memory.dmp

memory/1464-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1464-69-0x00000000004C0000-0x00000000004DD000-memory.dmp

memory/1464-77-0x00000000004C0000-0x00000000004DD000-memory.dmp

memory/2620-78-0x0000000000B20000-0x0000000000C8B000-memory.dmp

memory/2536-81-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2276-84-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2404-86-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2276-89-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1584-109-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1952-113-0x0000000000B20000-0x0000000000C8B000-memory.dmp

memory/1700-117-0x0000000000170000-0x0000000000171000-memory.dmp