netwire | 82fbdf9b5469406b50370f3d52fa410097b8b4a108c36cb0e8ef716e92190e93

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
Size

4.4MB
MD5

d85f267d416aecc9ce02a394d7ae0050
SHA1

1d134c1cf5eb76c3f8917e7fab57d5c00c96d56f
SHA256

82fbdf9b5469406b50370f3d52fa410097b8b4a108c36cb0e8ef716e92190e93
SHA512

64578e73e578df6c94fa0514c5e159fc4338f31dfa6455a636d2819c347c13c250f09e94252c256fe3b506d1242258e42420a2095f9c1b829fb355a100ce3129
SSDEEP

98304:K2cPK8Qh71GAnlUxvawmWybJQAlbM0azCWtg04c5bc:lCKhhZGHCwBx2bazjtf5bc

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

nl-amsterdam04.crypticvpn.com:8067

ru-moscow02.crypticvpn.com:8022

de-frankfurt03.crypticvpn.com:8022

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Zboub-%Rand%
keylogger_dir
%AppData%\Roaming\Microsoft\MMC\Logs\
lock_executable
false
mutex
oLTJRPxq
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1524-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1524-15-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1524-97-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	KMSoffline_x64.exe
1204	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1524	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	KMSoffline_x64.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2572	KMSoffline_x64.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2572	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	28
PID 2364 wrote to memory of 2572	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	28
PID 2364 wrote to memory of 2572	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	28
PID 2364 wrote to memory of 2572	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	28
PID 2364 wrote to memory of 2712	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	32
PID 2364 wrote to memory of 2712	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	32
PID 2364 wrote to memory of 2712	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	32
PID 2364 wrote to memory of 2712	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	32
PID 2364 wrote to memory of 2920	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	31
PID 2364 wrote to memory of 2920	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	31
PID 2364 wrote to memory of 2920	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	31
PID 2364 wrote to memory of 2920	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	31
PID 2364 wrote to memory of 2584	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	30
PID 2364 wrote to memory of 2584	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	30
PID 2364 wrote to memory of 2584	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	30
PID 2364 wrote to memory of 2584	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	30
PID 2364 wrote to memory of 2908	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	29
PID 2364 wrote to memory of 2908	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	29
PID 2364 wrote to memory of 2908	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	29
PID 2364 wrote to memory of 2908	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	29
PID 2364 wrote to memory of 2688	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	35
PID 2364 wrote to memory of 2688	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	35
PID 2364 wrote to memory of 2688	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	35
PID 2364 wrote to memory of 2688	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	35
PID 2364 wrote to memory of 2692	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	33
PID 2364 wrote to memory of 2692	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	33
PID 2364 wrote to memory of 2692	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	33
PID 2364 wrote to memory of 2692	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	33
PID 2364 wrote to memory of 2488	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	34
PID 2364 wrote to memory of 2488	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	34
PID 2364 wrote to memory of 2488	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	34
PID 2364 wrote to memory of 2488	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	34
PID 2364 wrote to memory of 2656	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	36
PID 2364 wrote to memory of 2656	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	36
PID 2364 wrote to memory of 2656	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	36
PID 2364 wrote to memory of 2656	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	36
PID 2364 wrote to memory of 2904	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	37
PID 2364 wrote to memory of 2904	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	37
PID 2364 wrote to memory of 2904	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	37
PID 2364 wrote to memory of 2904	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	37
PID 2364 wrote to memory of 2640	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	38
PID 2364 wrote to memory of 2640	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	38
PID 2364 wrote to memory of 2640	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	38
PID 2364 wrote to memory of 2640	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	38
PID 2364 wrote to memory of 2280	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	39
PID 2364 wrote to memory of 2280	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	39
PID 2364 wrote to memory of 2280	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	39
PID 2364 wrote to memory of 2280	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	39
PID 2364 wrote to memory of 2516	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	40
PID 2364 wrote to memory of 2516	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	40
PID 2364 wrote to memory of 2516	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	40
PID 2364 wrote to memory of 2516	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	40
PID 2364 wrote to memory of 2504	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	51
PID 2364 wrote to memory of 2504	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	51
PID 2364 wrote to memory of 2504	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	51
PID 2364 wrote to memory of 2504	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	51
PID 2364 wrote to memory of 2664	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	50
PID 2364 wrote to memory of 2664	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	50
PID 2364 wrote to memory of 2664	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	50
PID 2364 wrote to memory of 2664	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	50
PID 2364 wrote to memory of 3020	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	49
PID 2364 wrote to memory of 3020	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	49
PID 2364 wrote to memory of 3020	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	49
PID 2364 wrote to memory of 3020	2364	NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe	49

C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\KMSoffline_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\KMSoffline_x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:528
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:576
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:588
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:868
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:632
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:540
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:756
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d85f267d416aecc9ce02a394d7ae0050_JC.exe"
  2⤵
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6E11.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSoffline_x64.exe

Filesize
3.2MB

MD5
b47f0f4b2c316cbd48a6e7bae8097007

SHA1
db0e8c3398e6ec8c7d8a62e205547536a2c68305

SHA256
cc845095b2adf954481fbd18b6e5c3a03794c7dba416178047641e32079a5cbb

SHA512
fe34463bf63cb111fcd1f66fcd998fe1517098abf0eb6a12dd28df48f8fbf497f30e8487a896fe5329a88c98bc469430e31d94c8816923f5f5b6fc5dc44635d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSoffline_x64.exe

Filesize
3.2MB

MD5
b47f0f4b2c316cbd48a6e7bae8097007

SHA1
db0e8c3398e6ec8c7d8a62e205547536a2c68305

SHA256
cc845095b2adf954481fbd18b6e5c3a03794c7dba416178047641e32079a5cbb

SHA512
fe34463bf63cb111fcd1f66fcd998fe1517098abf0eb6a12dd28df48f8fbf497f30e8487a896fe5329a88c98bc469430e31d94c8816923f5f5b6fc5dc44635d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EB0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Users\Admin\AppData\Local\Temp\KMSoffline_x64.exe

Filesize
3.2MB

MD5
b47f0f4b2c316cbd48a6e7bae8097007

SHA1
db0e8c3398e6ec8c7d8a62e205547536a2c68305

SHA256
cc845095b2adf954481fbd18b6e5c3a03794c7dba416178047641e32079a5cbb

SHA512
fe34463bf63cb111fcd1f66fcd998fe1517098abf0eb6a12dd28df48f8fbf497f30e8487a896fe5329a88c98bc469430e31d94c8816923f5f5b6fc5dc44635d2

Download Submit
\Users\Admin\AppData\Local\Temp\KMSoffline_x64.exe

Filesize
3.2MB

MD5
b47f0f4b2c316cbd48a6e7bae8097007

SHA1
db0e8c3398e6ec8c7d8a62e205547536a2c68305

SHA256
cc845095b2adf954481fbd18b6e5c3a03794c7dba416178047641e32079a5cbb

SHA512
fe34463bf63cb111fcd1f66fcd998fe1517098abf0eb6a12dd28df48f8fbf497f30e8487a896fe5329a88c98bc469430e31d94c8816923f5f5b6fc5dc44635d2

Download Submit
memory/1524-97-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1524-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1524-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2364-12-0x0000000000330000-0x0000000000333000-memory.dmp

Filesize
12KB

Download
memory/2572-18-0x000000001B5F0000-0x000000001B97C000-memory.dmp

Filesize
3.5MB

Download
memory/2572-19-0x0000000000360000-0x00000000003BC000-memory.dmp

Filesize
368KB

Download
memory/2572-20-0x0000000000A30000-0x0000000000ADA000-memory.dmp

Filesize
680KB

Download
memory/2572-17-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2572-16-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2572-91-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2572-92-0x000000001CD70000-0x000000001CDFA000-memory.dmp

Filesize
552KB

Download
memory/2572-93-0x000000001BA40000-0x000000001BA5E000-memory.dmp

Filesize
120KB

Download
memory/2572-11-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-96-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-98-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2572-10-0x0000000000F30000-0x0000000001272000-memory.dmp

Filesize
3.3MB

Download
memory/2572-99-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download