890eee2beb37491e5fe14bb03be20ad8765769d740f5b301fc55c3d1f8fb0ee3

Analysis

max time kernel
168s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
Size

5.0MB
MD5

f0549c907ad8e3ee7b5817f8330cbf70
SHA1

995feae5396fdc6a9268244c8564d097cd4e8bac
SHA256

890eee2beb37491e5fe14bb03be20ad8765769d740f5b301fc55c3d1f8fb0ee3
SHA512

b1b63bdc3028e78cc42a5ec5cc11d3a64a0efef8d12d53d20f4ccc30954856dcaafaa6b457b54ba528357632e38e0fa76569839cffc1c1ab7a74541ddb364210
SSDEEP

98304:yb0TK+JLZqHgOMJpjFTes4T8ddnVuT40qPC:y9+zqbCTz4TogTsa

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000100000000ea77-5.dat	upx
behavioral1/memory/2516-9-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-40-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-65-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-71-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-72-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-73-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-74-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-75-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-76-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-77-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-78-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2516-87-0x0000000000400000-0x000000000040F000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000100000000ea77-5.dat	autoit_exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PATHPING.EXE	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\dcomcnfg.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\mspaint.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\sdbinst.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\setupSNK.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\shutdown.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\convert.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\DevicePairingWizard.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\migwiz\migwiz.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\write.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\auditpol.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\diskraid.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\icardagt.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\RMActivate.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\diskpart.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\icacls.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\user.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\compact.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\diantz.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\Utilman.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\waitfor.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\LocationNotifications.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\logman.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\newdev.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\tzutil.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\esentutl.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\getmac.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\mobsync.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\takeown.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\gpupdate.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\msra.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\taskmgr.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\com\comrepl.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\credwiz.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\wuapp.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\driverquery.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\iscsicli.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\label.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\rasphone.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\explorer.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\netsh.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\taskeng.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\dvdplay.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\expand.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\dfrgui.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\ocsetup.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\resmon.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\autoconv.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\cacls.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehrecvr_31bf3856ad364e35_6.1.7601.17514_none_1b8f8373383de46a\ehrecvr.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmstp.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\ImagingDevices.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd\MuiUnattend.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\sdchange.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496\wowreg32.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_5cbb962a4f0d58c1\fc.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedt32.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_bbdd3aeb771e694e\runas.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_fbcfa2528586252f\credwiz.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-infdefaultinstall_31bf3856ad364e35_6.1.7600.16385_none_c8897566b5c070a0\InfDefaultInstall.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmmon32.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_6.1.7600.16385_none_38dc646bf68909f4\cmdkey.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_6.1.7601.17514_none_832fc1bb7d681e0d\sdclt.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-sbeserver_31bf3856ad364e35_6.1.7601.17514_none_7b380cb06fd9d81d\SBEServer.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_441a424cd5cda219\autofmt.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcweblauncher_31bf3856ad364e35_6.1.7600.16385_none_5846a8771b202706\MediaCenterWebLauncher.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iecleanup_31bf3856ad364e35_11.2.9600.16428_none_a03d6846a99c1c87\iecleanup.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iisrstas.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ktmutil_31bf3856ad364e35_6.1.7600.16385_none_e47ee9c51ad9df17\ktmutil.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-mctadmin-component_31bf3856ad364e35_6.1.7600.16385_none_672f52a8b504cbbe\mctadmin.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_a7a77a3b9cb96ce6\msiexec.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63\auditpol.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_c3afa97fae99bbe4\diskraid.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_6.1.7600.16385_none_7582a4a93f08b488\fltMC.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_6.1.7601.17514_none_4e297fab940bc0e5\ntprint.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17514_none_58b4153116c17b41\RDVGHelper.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\Mahjong.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_6.1.7600.16385_none_96421d40c0e2903e\aspnet_regbrowsers.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhost.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_cb3bc16fc2624947\rasphone.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultCmd.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_6.1.7601.17514_none_326571587836a400\wsqmcons.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-optionalfeatures_31bf3856ad364e35_6.1.7600.16385_none_c25bebf1075ff6aa\OptionalFeatures.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-proquota_31bf3856ad364e35_6.1.7601.17514_none_85ecfd46a904b22a\proquota.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_498d334c14a3b9bb\hwrcomp.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\shadow.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_db2b15bfcf64f104\wextract.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_f217bd1caebaa683\driverquery.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-networkprojection_31bf3856ad364e35_6.1.7600.16385_none_3fbc74d90a6e33f8\NetProj.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\mount.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86\iscsicli.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\diskperf.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_c50af05b1be3aa2b\powershell.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-recover_31bf3856ad364e35_6.1.7600.16385_none_e2083f75ce4c0619\recover.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_6.1.7600.16385_none_47357ddedbb9dec6\logagent.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-reliability-postboot_31bf3856ad364e35_6.1.7600.16385_none_a9b5c1d91f03e0b4\RelPost.exe	NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f0549c907ad8e3ee7b5817f8330cbf70_JC.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Filesize
5.1MB

MD5
4b67e20c74aaa5e5a0ffafd25874538e

SHA1
fefccac09912d5297be3698fa67b94774a813358

SHA256
2e0090516d474a836ea2a19480461340997c236ef09c1dd9b05e12ac7f8ec523

SHA512
a3c1e2597812afccf305112f89b6b9f28135854cb8df1a4f4596ca92489e536a1b2d70314a579dabea8898ddfa89b453018c725e01a8536e63b49fd93e9584b0

Download Submit
memory/2516-71-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-73-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-72-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-74-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-75-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-76-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-77-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-78-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-87-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download