07480ae48f8d5d5c7e486b2eb6cca37d8d39c5ebffa2e75a3714b2d157952f5d

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

netskyP.exe
Size

28KB
MD5

3018e99857f31a59e0777396ae634a8f
SHA1

7031cfe76ee7b2c925f2c00372fb9ef7f983f60c
SHA256

c8fffb2e737514c551b2d7bcaf8baa459564b059cab1a35a3cec4b3c270d4525
SHA512

4604c98f765be26d4a0a33f54cc777810cae7fab5153ee637b4fc8057492fd40de6fdf9d88dc4f7f34f45dd174bae54a2b39e0f0e5f1f5997820b9bccf47686a
SSDEEP

768:vWkliAnUQYkYKzqbjC5RqHjrYReyZx+l0oKriCPRDL:+ySsz6jGeyZx+l0TR

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "C:\\Windows\\FVProtect.exe"	netskyP.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Eminem.mp3.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Eminem Song text archive.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Britney Spears fuck.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Britney Spears blowjob.jpg.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\89.0.4389.114\American Idol.doc.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\DivX 8.0 final.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Britney Spears porn.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Arnold Schwarzenegger.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\The Sims 4 beta.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\89.0.4389.114\Harry Potter.doc.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\89.0.4389.114\RFC compilation.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Eminem full album.mp3.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\Britney Spears Sexy archive.doc.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\Harry Potter 5.mpg.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\Windows 2003 crack.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Adobe Photoshop 10 full.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Dark Angels new.pif	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Opera 11.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\Cloning.doc.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\89.0.4389.114\Doom 3 release 2.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Kazaa Lite 4.0 new.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Cloning.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Learn Programming 2004.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\Serials edition.txt.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Eminem full album.mp3.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Matrix.mpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Dark Angels new.pif	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Teen Porn 15.jpg.pif	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Harry Potter game.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\Adobe Premiere 10.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Eminem blowjob.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Britney Spears.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Saddam Hussein.jpg.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\89.0.4389.114\Arnold Schwarzenegger.jpg.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\1001 Sex and more.rtf.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\DivX 8.0 final.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Cracks & Warez Archiv.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Teen Porn 15.jpg.pif	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\netsky source code.scr	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Adobe Photoshop 10 full.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\3D Studio Max 6 3dsmax.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Internet Explorer 9 setup.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Smashing the stack full.rtf.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Cracks & Warez Archiv.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\ACDSee 10.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\Eminem blowjob.jpg.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\Kazaa Lite 4.0 new.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Partitionsmagic 10 beta.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Eminem Poster.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Ringtones.mp3.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Harry Potter all e.book.doc.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Harry Potter all e.book.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Britney Spears Song text archive.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Harry Potter all e.book.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Britney Spears fuck.jpg.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Visual Studio Net Crack all.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Gimp 1.8 Full with Key.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Altkins Diet.doc.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Eminem blowjob.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\Harry Potter.doc.exe	netskyP.exe
File created	\??\c:\program files (x86)\google\update\download\Kazaa new.exe	netskyP.exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Saddam Hussein.jpg.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Serials edition.txt.exe	netskyP.exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\3D Studio Max 6 3dsmax.exe	netskyP.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Britney Spears cumshot.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\Adobe Premiere 10.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Windows 2003 crack.exe	netskyP.exe
File created	\??\c:\windows\serviceprofiles\networkservice\downloads\Opera 11.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\Britney Spears fuck.jpg.exe	netskyP.exe
File created	\??\c:\windows\downloaded program files\Britney Spears.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\v4.0_4.0.0.0__b03f5f7f11d50a3a\Britney Spears cumshot.jpg.exe	netskyP.exe
File created	\??\c:\windows\serviceprofiles\networkservice\downloads\Lightwave 9 Update.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\Altkins Diet.doc.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\1001 Sex and more.rtf.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\Harry Potter 1-6 book.txt.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\Britney Spears fuck.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\1001 Sex and more.rtf.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\WinXP eBook newest.doc.exe	netskyP.exe
File created	\??\c:\windows\softwaredistribution\download\Harry Potter.doc.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\62765bb26133f581e10bb7c866f35c83\Britney Spears blowjob.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\Harry Potter 5.mpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Britney Spears.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Magix Video Deluxe 5 beta.exe	netskyP.exe
File created	\??\c:\windows\serviceprofiles\localservice\downloads\Smashing the stack full.rtf.exe	netskyP.exe
File created	\??\c:\windows\softwaredistribution\download\d881ecfb1357f383d18f1e4fd0554eb0\Adobe Photoshop 10 crack.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\62765bb26133f581e10bb7c866f35c83\Clone DVD 6.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Eminem Spears porn.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\3D Studio Max 6 3dsmax.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Cloning.doc.exe	netskyP.exe
File created	\??\c:\windows\serviceprofiles\localservice\downloads\Ringtones.mp3.exe	netskyP.exe
File created	\??\c:\windows\downloaded program files\E-Book Archive2.rtf.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\netsky source code.scr	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\Win Longhorn re.exe	netskyP.exe
File created	\??\c:\windows\serviceprofiles\networkservice\downloads\Ahead Nero 8.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_64\system.net.http\c2a702d703816f85cc229d96cb1b0c5f\Ringtones.mp3.exe	netskyP.exe
File created	\??\c:\windows\downloaded program files\Matrix.mpg.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_64\system.net.http\c2a702d703816f85cc229d96cb1b0c5f\Arnold Schwarzenegger.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Best Matrix Screensaver new.scr	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\62765bb26133f581e10bb7c866f35c83\Ringtones.mp3.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\Kazaa Lite 4.0 new.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Learn Programming 2004.doc.exe	netskyP.exe
File created	\??\c:\windows\softwaredistribution\download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Harry Potter.doc.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\Smashing the stack full.rtf.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\v4.0_4.0.0.0__b03f5f7f11d50a3a\RFC compilation.doc.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\v4.0_4.0.0.0__b03f5f7f11d50a3a\Best Matrix Screensaver new.scr	netskyP.exe
File created	\??\c:\windows\softwaredistribution\download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\ACDSee 10.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_64\system.net.http\c2a702d703816f85cc229d96cb1b0c5f\Britney Spears Sexy archive.doc.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_64\system.net.http\c2a702d703816f85cc229d96cb1b0c5f\Magix Video Deluxe 5 beta.exe	netskyP.exe
File created	\??\c:\windows\downloaded program files\Altkins Diet.doc.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Saddam Hussein.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\How to hack new.doc.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\Britney Spears porn.jpg.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\62765bb26133f581e10bb7c866f35c83\Britney Spears fuck.jpg.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\netsky source code.scr	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Britney Spears fuck.jpg.exe	netskyP.exe
File created	\??\c:\windows\softwaredistribution\download\Cloning.doc.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\Doom 3 release 2.exe	netskyP.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\62765bb26133f581e10bb7c866f35c83\Cloning.doc.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\DivX 8.0 final.exe	netskyP.exe
File created	\??\c:\windows\softwaredistribution\download\d881ecfb1357f383d18f1e4fd0554eb0\Britney Spears and Eminem porn.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Eminem blowjob.jpg.exe	netskyP.exe
File created	\??\c:\windows\serviceprofiles\localservice\downloads\Britney Spears and Eminem porn.jpg.exe	netskyP.exe
File created	\??\c:\windows\downloaded program files\Eminem blowjob.jpg.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\MS Service Pack 6.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\WinAmp 13 full.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\v4.0_4.0.0.0__b03f5f7f11d50a3a\Ulead Keygen 2004.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest\Cracks & Warez Archiv.exe	netskyP.exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\Dictionary English 2004 - France.doc.exe	netskyP.exe

C:\Users\Admin\AppData\Local\Temp\netskyP.exe
"C:\Users\Admin\AppData\Local\Temp\netskyP.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1928-55-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1928-56-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-57-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download