Malware Analysis Report

2025-01-18 16:51

Sample ID 230927-wj28bada5v
Target 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1)
SHA256 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956
Tags
netwire botnet rat stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956

Threat Level: Known bad

The file 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1) was found to be: Known bad.

Malicious Activity Summary

netwire botnet rat stealer upx

Netwire

NetWire RAT payload

Checks computer location settings

UPX packed file

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 17:57

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 17:57

Reported

2023-09-27 17:59

Platform

win7-20230831-en

Max time kernel

51s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\install.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\files.dat N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 2804 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 2804 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 2804 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2344 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\SysWOW64\WerFault.exe
PID 2344 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\SysWOW64\WerFault.exe
PID 2344 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\SysWOW64\WerFault.exe
PID 2344 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe

"C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto

C:\Users\Admin\AppData\Local\Temp\files\files.dat

files.dat -y -pkmsauto

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 732

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

memory/2184-29-0x0000000008E90000-0x000000000A191000-memory.dmp

memory/2344-30-0x0000000000400000-0x0000000001701000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

C:\Users\Admin\AppData\Local\Temp\files\files.dat

MD5 55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA1 32464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA256 7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA512 1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

C:\Users\Admin\AppData\Local\Temp\files\files.dat

MD5 55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA1 32464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA256 7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA512 1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

memory/2624-45-0x00000000002A0000-0x00000000002F2000-memory.dmp

memory/2624-51-0x00000000003E0000-0x0000000000408000-memory.dmp

memory/2624-52-0x0000000000410000-0x000000000042E000-memory.dmp

memory/2344-53-0x0000000000400000-0x0000000001701000-memory.dmp

memory/2624-55-0x0000000000430000-0x0000000000433000-memory.dmp

memory/2468-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2468-58-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2468-60-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 35fec016bae5b9e5df94f791de70a514
SHA1 91d3fc0644f2f44e0c1aa1ecd3648ec189881b66
SHA256 8f9a6792e6c7b5f57cecf4e82aec4988b83c47abf36564f5b9dfab499a090370
SHA512 7477afba203d879172df6011acff508468dae4f5cb07fe6f4ee831f81c652f46b584a66fb6701a46b85133f69f344d1e0dd1796c88644e1208bda91ef05f31a8

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 35fec016bae5b9e5df94f791de70a514
SHA1 91d3fc0644f2f44e0c1aa1ecd3648ec189881b66
SHA256 8f9a6792e6c7b5f57cecf4e82aec4988b83c47abf36564f5b9dfab499a090370
SHA512 7477afba203d879172df6011acff508468dae4f5cb07fe6f4ee831f81c652f46b584a66fb6701a46b85133f69f344d1e0dd1796c88644e1208bda91ef05f31a8

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 aee11561774b0096326f5fad11ff7a9f
SHA1 faade5e7ae55db0b7126e39a8c04cd38f8e367ea
SHA256 c083a9ad1c773d9d0270f1375ce4cd1dd8a5e9c9bac90dacf0cfb4ba0def0d35
SHA512 1fd7e52ca5ae028fb309f0a4c0031acd89c3cf16471672a1085131e6aac7921ca0712961891e2d1af019397dd1bc08087358c1756ae897cd5564e733ab2239a9

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 30d944e8fb171819c7159e81b0fa2beb
SHA1 e4f671c5db3d439512350e43b9d5ce1717cc04ab
SHA256 8347d0adcf36ff95162b0f2ba4066c46404ed7923f14d406415bdc089f51702d
SHA512 0ac406545675cb9b54ecabf205262102ed48c1cd538a706dd073c201b6cc5be7c21028b09e9f23357ca39982b6a24d064e6423d1024af1ceee6f8adb54038b4f

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 35fec016bae5b9e5df94f791de70a514
SHA1 91d3fc0644f2f44e0c1aa1ecd3648ec189881b66
SHA256 8f9a6792e6c7b5f57cecf4e82aec4988b83c47abf36564f5b9dfab499a090370
SHA512 7477afba203d879172df6011acff508468dae4f5cb07fe6f4ee831f81c652f46b584a66fb6701a46b85133f69f344d1e0dd1796c88644e1208bda91ef05f31a8

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 30a57d37a010de238e89b7739d24b3ab
SHA1 b4d39098c91c8440d25690574460c923e579a3ca
SHA256 012fb86a29b15dd69e71e7db79945a46910cf936193126642f10f2ea2f3949e0
SHA512 9436ead9100591dacedd233583528cf929d5c349c2598227608a8add5f77fefaea48882548fb837779d1d6b256a6688aa7df588d29afc83e566aa3426080ff57

\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 30d944e8fb171819c7159e81b0fa2beb
SHA1 e4f671c5db3d439512350e43b9d5ce1717cc04ab
SHA256 8347d0adcf36ff95162b0f2ba4066c46404ed7923f14d406415bdc089f51702d
SHA512 0ac406545675cb9b54ecabf205262102ed48c1cd538a706dd073c201b6cc5be7c21028b09e9f23357ca39982b6a24d064e6423d1024af1ceee6f8adb54038b4f

memory/2344-71-0x0000000000400000-0x0000000001701000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-27 17:57

Reported

2023-09-27 18:01

Platform

win10v2004-20230915-en

Max time kernel

197s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3016 set thread context of 320 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\files.dat N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 1952 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 1952 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\OInstall.exe
PID 1952 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1952 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1952 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3712 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2120 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3712 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1704 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3712 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 4596 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 4596 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\files\files.dat
PID 3712 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4988 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3712 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\OInstall.exe C:\Windows\system32\cmd.exe
PID 4212 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4212 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3016 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3016 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3016 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3016 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe

"C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto

C:\Users\Admin\AppData\Local\Temp\files\files.dat

files.dat -y -pkmsauto

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 592

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

C:\Users\Admin\AppData\Local\Temp\OInstall.exe

MD5 78ffd4acc57558d2b0e6b89fff8930f4
SHA1 4513925109addb215d1004399302fb076fefdd43
SHA256 0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA512 76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 6037361243f8c390326debbea5b85ac2
SHA1 654fca850890949bbbd41a7e4c481ab89e10839a
SHA256 b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512 434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

memory/3712-22-0x0000000000400000-0x0000000001701000-memory.dmp

memory/3016-23-0x0000000000820000-0x0000000000872000-memory.dmp

memory/3016-26-0x0000000005300000-0x0000000005310000-memory.dmp

memory/3016-25-0x00000000051D0000-0x00000000051F8000-memory.dmp

memory/3016-27-0x0000000005210000-0x000000000522E000-memory.dmp

memory/3016-24-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/3016-28-0x00000000058C0000-0x0000000005E64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\files\files.dat

MD5 55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA1 32464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA256 7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA512 1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

C:\Users\Admin\AppData\Local\Temp\files\files.dat

MD5 55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA1 32464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA256 7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA512 1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

memory/3712-50-0x0000000000400000-0x0000000001701000-memory.dmp

memory/3016-51-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/3016-52-0x0000000005300000-0x0000000005310000-memory.dmp

memory/3016-54-0x00000000052A0000-0x00000000052A3000-memory.dmp

memory/320-55-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3016-59-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/320-58-0x0000000000400000-0x000000000042B000-memory.dmp

memory/320-61-0x0000000000400000-0x000000000042B000-memory.dmp