description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

pid	Process
2932	xk.exe
960	IExplorer.exe
5016	WINLOGON.EXE
1668	CSRSS.EXE
1340	SERVICES.EXE
1216	LSASS.EXE
4916	SMSS.EXE
3760	xk.exe
520	IExplorer.exe
2932	WINLOGON.EXE
3996	CSRSS.EXE
1340	SERVICES.EXE
2560	LSASS.EXE
2468	SMSS.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	F:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	F:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

description	ioc	Process
File opened (read-only)	\??\G:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\I:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\K:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\L:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Q:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\S:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\V:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\E:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\J:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\M:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\U:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\W:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\B:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\O:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\T:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\X:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Y:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\H:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\N:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\P:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\R:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Z:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\xk.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

pid	Process
2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

description	pid	Process	procid_target
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	86
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	86
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	86
PID 2008 wrote to memory of 960	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	87
PID 2008 wrote to memory of 960	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	87
PID 2008 wrote to memory of 960	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	87
PID 2008 wrote to memory of 5016	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	88
PID 2008 wrote to memory of 5016	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	88
PID 2008 wrote to memory of 5016	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	88
PID 2008 wrote to memory of 1668	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	90
PID 2008 wrote to memory of 1668	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	90
PID 2008 wrote to memory of 1668	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	90
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	91
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	91
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	91
PID 2008 wrote to memory of 1216	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	92
PID 2008 wrote to memory of 1216	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	92
PID 2008 wrote to memory of 1216	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	92
PID 2008 wrote to memory of 4916	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	93
PID 2008 wrote to memory of 4916	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	93
PID 2008 wrote to memory of 4916	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	93
PID 2008 wrote to memory of 3760	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	100
PID 2008 wrote to memory of 3760	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	100
PID 2008 wrote to memory of 3760	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	100
PID 2008 wrote to memory of 520	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	101
PID 2008 wrote to memory of 520	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	101
PID 2008 wrote to memory of 520	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	101
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	103
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	103
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	103
PID 2008 wrote to memory of 3996	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	104
PID 2008 wrote to memory of 3996	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	104
PID 2008 wrote to memory of 3996	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	104
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	105
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	105
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	105
PID 2008 wrote to memory of 2560	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	106
PID 2008 wrote to memory of 2560	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	106
PID 2008 wrote to memory of 2560	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	106
PID 2008 wrote to memory of 2468	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	107
PID 2008 wrote to memory of 2468	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	107
PID 2008 wrote to memory of 2468	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	107

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.