Malware Analysis Report

2025-01-18 16:34

Sample ID 241215-16ah2azkax
Target 8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe
SHA256 8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1
Tags
netwire botnet discovery evasion persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1

Threat Level: Known bad

The file 8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet discovery evasion persistence rat stealer

NetWire RAT payload

Netwire family

Netwire

Sets file to hidden

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 22:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 22:15

Reported

2024-12-15 22:17

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

"C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe"

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

"C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe"

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 wallou.publicvm.com udp
SG 139.99.66.103:3365 wallou.publicvm.com tcp
US 8.8.8.8:53 mediafire.duckdns.org udp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp
US 192.169.69.25:3365 mediafire.duckdns.org tcp

Files

memory/2260-0-0x0000000074271000-0x0000000074272000-memory.dmp

memory/2260-1-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2260-2-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2260-3-0x0000000074270000-0x000000007481B000-memory.dmp

\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

MD5 30ca82721d6deeeb037629453fef0330
SHA1 6ea9d9c73cd568304e86ee0d01540582e1d90576
SHA256 8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1
SHA512 6b7870787d4984a61af96eba8ec1c36565254b65466245971475b646320aa4ff96f130472dd33892f89e652456d953d910d7a1a40100986f7033784cdecd9a2a

memory/1632-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1632-17-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1632-15-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1632-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1632-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1632-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1632-8-0x0000000000400000-0x000000000041E000-memory.dmp

C:\ProgramData\IntelCore\IntelCore.exe

MD5 3c864191d40bdd05cb592c813c41e38c
SHA1 e00098079f064227a9a38317f429727615a5c063
SHA256 9a3b17f61c4797d70ace5710f7e9d2e5bda72c31aebf715be3118c9c5b514171
SHA512 65bc5efe7666894ae9fb62da32618d975c92b07f6e53752fe295b1423f25cf6e6c7235e6f468c871b0f9fd137d381ca3a507d4edcc7e89b6682d994d703b87ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 22:15

Reported

2024-12-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe" C:\Windows\SysWOW64\REG.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\attrib.exe
PID 2260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\REG.exe
PID 2260 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe
PID 2260 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe C:\Windows\SysWOW64\ping.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

"C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe"

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\ping.exe google.com

C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

"C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe"

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/2260-0-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

memory/2260-1-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2260-2-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2260-3-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

memory/2260-4-0x0000000074FA0000-0x0000000075551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1N.exe

MD5 30ca82721d6deeeb037629453fef0330
SHA1 6ea9d9c73cd568304e86ee0d01540582e1d90576
SHA256 8bececf35363a13380fcf5b00aa392a7c9d6d9fba578bd213f540a2ff1e2cec1
SHA512 6b7870787d4984a61af96eba8ec1c36565254b65466245971475b646320aa4ff96f130472dd33892f89e652456d953d910d7a1a40100986f7033784cdecd9a2a

C:\ProgramData\IntelCore\IntelCore.exe

MD5 71855aa4fd7f64df8c7485f3bdd79121
SHA1 751b28fe08c41c2614576a79c0f00b49a60bbf12
SHA256 80e8a6de789203d6213c1b3ac86e377c64f38a46264f43272fa77b2cd2cbb9e9
SHA512 08d25d09eb2c907d93a2b58250fe11d4b3b343da9212eb676777a2d06e11d6478d78b171cee0a3255b4ec191e211a559580602780016218471e0ebea8e7ff052