dab82dbf7e6f18b280412c26c65959538a7c184aadab205e49813c2474dc0547

Resubmissions

28-04-2022 20:00

220428-yrgmpafea6 8

19-11-2020 20:22

201119-s3p5le3qh2 8

19-11-2020 14:03

201119-vpjz62g6ex 8

Analysis

max time kernel
55s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-04-2022 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewActive.exe
Size

3.8MB
MD5

f81c3a1b8349453e85f80b1ac56f44be
SHA1

0b7f75782b2a7de6b4183414680a55f7410c71d7
SHA256

dab82dbf7e6f18b280412c26c65959538a7c184aadab205e49813c2474dc0547
SHA512

3fe024bb8e93bec33a2ed911e13091c6784c4eb6710262bdea8a3614ec174e7ac51d9c4a1a38d4be4b3386e44b8155780e3565a8775da7170bb1fd83ab256cea

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

irsetup.exe

pid process

800 irsetup.exe

pid	process
800	irsetup.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
\Windows\NetSurveillance\uninstall.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx

Loads dropped DLL 11 IoCs

Processes:

NewActive.exeirsetup.exeregsvr32.exe

pid	process
1364	NewActive.exe
800	irsetup.exe
800	irsetup.exe
800	irsetup.exe
800	irsetup.exe
800	irsetup.exe
1320	regsvr32.exe
1320	regsvr32.exe
1320	regsvr32.exe
1320	regsvr32.exe
1320	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

irsetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\German.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\PlayDev.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\AlarmEnable.xml	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Playback_graphics_Thumb.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Russian.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\English.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\plcb_Disabled.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\x1_05.JPG	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\plcb_normal.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\playback_graphics_config.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Romanian.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\dlg_top.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Spanish.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\NetSdk.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\NetSdk.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Hungarian.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\plcb_back.JPG	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\x1_03.JPG	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\x1_05.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\mp_channel_active.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Hebrew.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Arabic.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\mp_thumb_active.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\theme.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\replayer_config.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Spanish.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Greek.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\x1_01.JPG	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\dlg_top.bmp	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Poland.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\mp_channel.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\plcb_over.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Korean.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Hebrew.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Portugal.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\mp_channel.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\x1_03.JPG	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Thai.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Japanese.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\reg.bat	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\dlg_left.bmp	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Korean.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\dlg_right.bmp	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\x1_01.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\SimpChinese.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Poland.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Greek.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\French.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\English.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\Brazilian.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\AlarmEnable.xml	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\dlg_bottom.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Suomi.lang	irsetup.exe
File created	C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Hungarian.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Arabic.lang	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSurveillance\CMS\Brazilian.lang	irsetup.exe

Drops file in Windows directory 10 IoCs

Processes:

irsetup.exe

description	ioc	process
File created	C:\Windows\NetSurveillance\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Windows\NetSurveillance\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Windows\NetSurveillance\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Windows\NetSurveillance\Uninstall\uni1B01.tmp	irsetup.exe
File created	C:\Windows\NetSurveillance\Uninstall\uni1B01.tmp	irsetup.exe
File created	C:\Windows\NetSurveillance\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Windows\NetSurveillance\uninstall.exe	irsetup.exe
File opened for modification	C:\Windows\NetSurveillance\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Windows\NetSurveillance\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Windows\NetSurveillance\Uninstall\uninstall.dat	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1932	AUDIODG.EXE
Token: 33	1932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1932	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

800 irsetup.exe
800 irsetup.exe

pid	process
800	irsetup.exe
800	irsetup.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

NewActive.exeirsetup.execmd.exe

description	pid	process	target process
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 1364 wrote to memory of 800	1364	NewActive.exe	irsetup.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1320	800	irsetup.exe	regsvr32.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 800 wrote to memory of 1800	800	irsetup.exe	cmd.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1052	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 268	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 572	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1388	1800	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\NewActive.exe
"C:\Users\Admin\AppData\Local\Temp\NewActive.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\NewActive.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\NetSurveillance\CMS\web.ocx"
3⤵
- Loads dropped DLL
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\NetSurveillance\CMS\reg.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f
4⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f
4⤵
PID:268

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f
4⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f
4⤵
PID:1388

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1496

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll
Filesize
476KB

MD5
c287c399f1bf7a5c5347a8b937987def

SHA1
80880f5a47036b73ccd9ec60607a4b66058b2243

SHA256
49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

SHA512
67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

Download Submit
C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll
Filesize
677KB

MD5
c67952e4e72aaaf1bff335cfd22e6e79

SHA1
5eed9b36deb5029bcbb60af0996fa88e21d15807

SHA256
2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

SHA512
ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

Download Submit
C:\Program Files (x86)\NetSurveillance\CMS\NetSDK.dll
Filesize
293KB

MD5
b499957c7a57e89257140d163104046d

SHA1
ef692f98a61748ecac1e59261ba8caf0150eb79a

SHA256
a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

SHA512
a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

Download Submit
C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll
Filesize
38KB

MD5
65f495d45c50cb3b00594e77c76e1ba4

SHA1
bba3dbdcb35a9478013dae796386ade413da9d7b

SHA256
d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

SHA512
d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

Download Submit
C:\Program Files (x86)\NetSurveillance\CMS\reg.bat
Filesize
446B

MD5
71baf73ffc3ae2a59c34767eab0208d5

SHA1
45ae47dcf0335c27fddf319f878f8ab82cf02344

SHA256
aff032368972c093443753e5959a324260a3cb7aca1f1251177c7e3249a8dc68

SHA512
ae40422dca879ff576e6accd98cdfcd77189a7a1c72de19724fe569b0553ecb6cf2ae3fb0f9f8a6f790a9a82c252753eb4488f19182853dbac8608bfbd6d47f0

Download Submit
C:\Program Files (x86)\NetSurveillance\CMS\web.ocx
Filesize
221KB

MD5
5ed1c01ded266cbe83054facf63d8299

SHA1
29d2a8e0bef198e489d96b018f20cffbc04f6f0e

SHA256
b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec

SHA512
47d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll
Filesize
476KB

MD5
c287c399f1bf7a5c5347a8b937987def

SHA1
80880f5a47036b73ccd9ec60607a4b66058b2243

SHA256
49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

SHA512
67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

Download Submit
\Program Files (x86)\NetSurveillance\CMS\H264Play.dll
Filesize
677KB

MD5
c67952e4e72aaaf1bff335cfd22e6e79

SHA1
5eed9b36deb5029bcbb60af0996fa88e21d15807

SHA256
2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

SHA512
ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

Download Submit
\Program Files (x86)\NetSurveillance\CMS\NetSdk.dll
Filesize
293KB

MD5
b499957c7a57e89257140d163104046d

SHA1
ef692f98a61748ecac1e59261ba8caf0150eb79a

SHA256
a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

SHA512
a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

Download Submit
\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll
Filesize
38KB

MD5
65f495d45c50cb3b00594e77c76e1ba4

SHA1
bba3dbdcb35a9478013dae796386ade413da9d7b

SHA256
d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

SHA512
d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

Download Submit
\Program Files (x86)\NetSurveillance\CMS\web.ocx
Filesize
221KB

MD5
5ed1c01ded266cbe83054facf63d8299

SHA1
29d2a8e0bef198e489d96b018f20cffbc04f6f0e

SHA256
b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec

SHA512
47d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Windows\NetSurveillance\uninstall.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
memory/268-82-0x0000000000000000-mapping.dmp

Download
memory/572-84-0x0000000000000000-mapping.dmp

Download
memory/800-56-0x0000000000000000-mapping.dmp

Download
memory/1052-77-0x0000000000000000-mapping.dmp

Download
memory/1156-90-0x0000000073041000-0x0000000073043000-memory.dmp

Filesize
8KB

Download
memory/1320-65-0x0000000000000000-mapping.dmp

Download
memory/1320-86-0x0000000000740000-0x0000000000801000-memory.dmp

Filesize
772KB

Download
memory/1364-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1388-87-0x0000000000000000-mapping.dmp

Download
memory/1800-67-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads