d55ab573d996e0eccdbc23534f49d35816130b3c3557d13c3c8b33b92cc3be12

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Size

29KB
MD5

f963e6b74f454cd3a19e26e86950bb60
SHA1

cdb3320494183adb2190fe5e402bde9b962eca54
SHA256

d55ab573d996e0eccdbc23534f49d35816130b3c3557d13c3c8b33b92cc3be12
SHA512

fd93b31f5ebef32f1752f86300ed6d72c985e31c04409e48b5b8f444c790218887f615b74859a553cde9dd79d9ea4818c672a2ab71acade4aea2091a8c9b6673
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/vJ:AEwVs+0jNDY1qi/qJ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2508	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x000700000001210a-6.dat	upx
behavioral1/files/0x000700000001210a-8.dat	upx
behavioral1/memory/2508-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2192-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2508-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2508-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-66.dat	upx
behavioral1/memory/2192-343-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2508-344-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2192-1162-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2508-1163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2192-1886-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2508-1887-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2192-2814-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2508-2815-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2192-3749-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2508-3758-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
File opened for modification	C:\Windows\java.exe	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
File created	C:\Windows\java.exe	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2508	2192	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe	28
PID 2192 wrote to memory of 2508	2192	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe	28
PID 2192 wrote to memory of 2508	2192	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe	28
PID 2192 wrote to memory of 2508	2192	NEAS.f963e6b74f454cd3a19e26e86950bb60.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.f963e6b74f454cd3a19e26e86950bb60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f963e6b74f454cd3a19e26e86950bb60.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a97d320c7aa8f208575cdde97c628e01

SHA1
f62bc1d9dc0e2ce529b6d1e5db340c0e6a63adcd

SHA256
c806a7cb5c5b916d365ae0dc9fc019326819f41547b72407a337617e04e0926b

SHA512
f8381adafcea6a04f62eb18e1f01cf0ba41271f07a9bbddc90d28107bf5eeb6fba0c746cce8af8629382ce2ea1cba610cee357aa6ea267c3bd03175b00a1139f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b8a6bb561d195298075abee9941f293

SHA1
7c407aac4ee9739e0315ae0b38b1f79d3c8f381a

SHA256
dd729882f76633e8f434bcb12b51d6a8509ec505b9aea3e71c4118f5cb77e1c9

SHA512
d41e6a425579c70c0d3126305fa53e53f2a454298b8ac5e4972322811f98a9afddb2d2bd255c3f11d443dbbb31e38d261a21bdb427ab1604da60fe5c7e77d2b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a904cb26e974b7e937483e302de69a90

SHA1
abf60258b23f3a609eb8e901f9e3b649dd4de850

SHA256
db3e8992190ad0764615d6c143f81cf60ac5e124fd41f881109829429b37dc28

SHA512
8c716c300ffe09c501d43311902686d33d13fcc7a81dcae4931faa6abc83fef6aef7c6c9a4da72a1bf3223dfe6fe588849d7c35ddefa6637b83075ff58693880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50c35a0c61f1448e00f248db01175dde

SHA1
059488a2e20520400d94c793874e36f308915050

SHA256
f324f3cd15f2bea90278f85248380a80eaa757f177860ea2ee6b30969f528323

SHA512
4873d3a179b8d375d031d3bf06857c20ecef680cc0909505305ae5140ac47a9b71258a51ba1ed821fc4ae2040980eb9580d7fab1fc74d6a24ba3e918dfa719e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
087ff876626533c88b85260e8e44bef3

SHA1
65524738e0d114247dc01313935f924541a91a12

SHA256
692301cbb0315c18ed772d67396320cec343f488d10413aa119f049bdb0d948d

SHA512
247d725660eb6a022fbbce97e3ac33bd3ad4d3b0da16ad052721c3a4699eeece22884fa48d6aeb652ca688d09ba4575f9222977ed7da5b834dfa0cdc99097d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f6f7e7968504b58d5924f97170d2ff1

SHA1
795ccb08c0cc697c4d8d9a6f7b2430c826ed9b24

SHA256
0d5a02f0cfacd6e639db6fea91f44f53793642f570ae75235108eb27f343d446

SHA512
00f58c500710adad5e60eeb9906416890a5be9a483503793054331e9b446fe8e082ae593c2d81596b6f3da41636020cae5b22abe775f76779a6dbb9f256601fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ed86e625346ecb9a7abe9b4f277b05d

SHA1
c44f7de86f4b3f9c4525e310342b7cba7a7aeb87

SHA256
136b7ac7d9047af988f0d568d3c5174fcf51d8225eb9490e4108e97a54eb1c41

SHA512
abffc669ab5c23d43cbdf30ebd2465c086b59ddd2841ee80bfac3856f651ac1ccbe5fbf5a144a0fb264a4519a95a2bb6b4260aa6445986f2eed9b56c98d7defd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67deae64e4c4848d864346b3c43c3d0b

SHA1
85d981522080b22b53f992f6974a42d7d317d937

SHA256
1fafb4c54d010f0d4238ffc52ffb7fa9db17fd68dfed48904e9583d912d9031e

SHA512
ccf05c96a00552b9bfd19d83bdd98cdda597341033c59cd1dfc52317f4cb4635bb0c13bfb43f645d92e744cf0feb40b5c375be51ee1fd635dbf2f818000c0918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65002428c559a175d1ba1d690b1f5e3e

SHA1
8d6c8190ef7182043820738e002ec78fd27ebf13

SHA256
611d871f75f1db148b95e149983592bf8f21828ac18d8c528c48acb6f144abba

SHA512
e7c8be8cb3f02affcc2902ca10a0b8f283358d587fafbd1792490e714f89a6459aefd92cf3bc95be0e7abf420ca00da66595c43b292671094f70bc9c5cf0058c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e7cffcd426202c31559cf3493480b83

SHA1
b252f06a3fdd7397db28eed67f840d36b6b79052

SHA256
4b50b4b45fb473e13a1a015a9d3d1219f30eb29b46ca7cdf7a857c8ae722ee28

SHA512
885b759edc17db91243b98825ed16d062f5fa478acb9ac2263587c6be54f7db6d62befc7a96b7f8d8872ece4d159bb5e75a559c9f97c4ff6dfd20399daeb9a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6711d627be10bb82319e4d39284d184a

SHA1
415157867f2475179cf200200b909f08dd42fcb2

SHA256
0af787d108eb9271d3e7bfbf3b7d8f88663401aa1a885af398aa1d7540c69fea

SHA512
cb84d0ac76b0e18c9a72eb6b62b856af1c5a5ce57423376e7d300b6d1b3a81b089464a7ff9f0109dae637cd3b8706842cc6c981f65b1d0c130faa4180b12fbd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e6e0b018534bc76edaeae1cc74b08fe

SHA1
afe19a61446144309876e25c3dfdee11a5b3b378

SHA256
71285ca502b1c5077dbb550af3de54acd59dd7caee2a28983d29453e6399eb7f

SHA512
8ac47e01f451526955ad0790201327698c6a12ce7c3b29cc9be47ac69cba742caa342ba422bc0913ea98deb3d8c3627ece8a110f0fd16bf0fe368675177978b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
358259d70eedef37f6e548bd0493dca5

SHA1
f713fccd7dd13ac08e77f11bfc36565e5eb926e3

SHA256
3a835abe901176bce9f53911f8d8a9d1b23605ed937a4fb9999b69d9e4c87916

SHA512
7261045cea47394deffb4fd56727081f67f95ae11117f3ffedf7a0c58a39b26cd04d5f444a42e4817b6420564e9ab76257f75fefa82bb8356bbfc3f8980d0c38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f74aa94ebef325374966fb2cdfc91632

SHA1
68aeda974289e55b29c205c169207e57a8404cbe

SHA256
b4b1ad7c9da778d0e84d5ed584d3dc834a488cfbbe52cde2c3c9ea579dbf4bf6

SHA512
5728f99d2e7bf39eedfe957c8518951163d04bc41b9ceb85768179bd6e3cfcd3e2ae828dce7dd03edb6e7d442c85b11940484926a9830b088fc2951263f4ebd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9b0294ef9ce62c8f091bd3565c6e7f6

SHA1
71f3e396f05d3930fa72bc2355be7797dcf899b2

SHA256
74d1f0f02d77679c1a837bd305e2427c89b33c9c5bf2a66428a61f9ee1e2df61

SHA512
6f35595d0296e0c6d2938becada3d57b99296434d17ec907c9b8836560f09f5267e942e57ab76f1eb5159908fd152471a5e6c2cd569a044ef27c1f422a77992d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0deb7a6169c0625e203d5f7f4c074dd

SHA1
7a93a3fca5fd313847bef96b5af18e655db81135

SHA256
7cbe509983c647855fc86ddec5a86775418381e1407bc51b662c3382fb9d4a9c

SHA512
9107961cfca9ad75f2077210d30850826c320038555adbdcb4e3167646c757c43100d686371dd1a6530ea258e4681be6a30aeffe2565ad1f32b110982a0c4a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00870c89e44af9285e4dcd88c90424af

SHA1
559ff7c35d6e2a8992a2bb5f2bf728c740c124d4

SHA256
56f44b8967c48dfb95aa49bbff79b8c78cd19453f4726e7fdc9146c8a58ccb23

SHA512
adbfefda6daeb44497d8e24bc0c168dc1f6e0cff721ad67ae0d0564cebcb1bd62b3a5cd06972d9d48f8b5c8604194e5f29f15cf386cbcfea63ac2f96ddd8f046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0cebe75b76d34576bedc96cd1ee18f4

SHA1
5d305329cf1cf49d69d70a1fdf67b139a4f9c93f

SHA256
62212671b422cf9b3f1040f98c815ffc77fca51e2f390d92ac3771565d7e17fd

SHA512
0c5ed275c02d031fb17e9ccc3689c73337b4abaf717ad19203daa8c493a86915ab3c7abd0bb810d2f13828b8a7812543a08ad7a89807d172f5ff46a6f9f800ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cba99b40d3509419c29c13af89e4bc47

SHA1
973bb0f13a7663c9d609819431931c358cad24c8

SHA256
62d77dc896b52f08d375a414f01bf17b1474a9423263977aa1c59696a394e320

SHA512
8d91b016f91f2ae363027259163bf16e65547c63b2c36a1060fe1f04e17ad85c14342d424ff6004e9491d6cba0adf2dbf0532dbbca2afcc74dd31ca5325f7a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0df4c276dc9d46372a7d7f6d813dcca4

SHA1
782d255bfa67fac91460315ea729ebcab636c8d3

SHA256
53f8032a60013067525a4d2b6d31c44a8358cc4fc47cc5a4e270b9354dddc51e

SHA512
3ab42b81b1f4897c491d4f2f2e80cb18db96069fb78f1a94fddba53617ae0de4223a28387d7690b87a97229748f870164c340232eca7039830ac9c3458a0bd64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4079605627a7a885815bddd2c40fae2f

SHA1
a25cc0a17934264cb6a6754eb7d55fb1cb854bdc

SHA256
ac427570cbf98a2669361479c5ece0f7ee92fb506be4ae428423b9eb6a303524

SHA512
51315c270cfbfdf93f265a3c7d8e1a481a23995659fe3170cf85bd1e2e9f0435b70bd5f51bf685d478763c326021e2c599f99514149bbd5b681413d9b18d3ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d9c33865319e412febc09e132514ce2

SHA1
0bdc022d6eea1d7630fabca357c89e36d29b035e

SHA256
4bad5e2f0f26cf5612a5d413f18f70e60da735bbfafa7b51fac400187217977d

SHA512
c0608fd268817876a8ac68ff7830fe0bf1b040e2c93be0e61ddfa410d93dfb898c8ca8f08820e94c1e120172ea35b8ae69243e40d087afa34067afb1883560bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d23b317b184ae6564ac472ddb4bd3ac6

SHA1
9c99868714585246ec196250b853fca2e09f1f77

SHA256
0df3c34680ef5a23b9067831947ce1e77d710b8f33fd1706a6cb7947f88ffd3a

SHA512
a238939e49d57061adb58c17e00af4346c1a9916dd89d40835db43070a19c6437022a77d94ccc64643e5b4179199e1a0dd08541dc204b1b70588075fccc44c0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eacc1fbfb7c1ca0a1a4f5ea3d05c894e

SHA1
aaa7ab58126eb6049760c42637ca5e4ed5baf950

SHA256
38694d6ca2c64f7e0d20f6d680e71a4c18b649a21cee5740451f6d0e35ab2f5c

SHA512
4550dab38f70fa8865d8aab8893aecc931b97f6970c22b2f09b582ba81d234dd27330bf88e0125ce018a15680c2bc6a3d3470887e206ade30cb63ce1e0eeba30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
859a848f49f4c556881ad126ae47f231

SHA1
11539205dbaf3daaa25b44f7abc40c8a0d74b790

SHA256
54b660f258497e8c0ea21077f4f5eab9bb591155f841c30be62c446fad7fb50a

SHA512
063bd18a30593f52cc4fbc10b943daecb5851046f780770b9dbec0bd7ae629e7f4215a5256064cc942bc5bdc345a1dd7a8009d5e38adda0d5a961f39d3342bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c2ee6767a4c297714d0a9f1d65d703c

SHA1
61b56f9227f4b0591613503c3861d19aef5cdfe4

SHA256
77ca0df9d48fffc23cc46ef165cb742659ed9c73d4818aedd681fc1059907a28

SHA512
63b75bd18f09232e8df9be2e9c8d12685cef4af8f0ad90b8e3faa9bd2713143a5ff69379a542a5cef59866880031feb1df946a297b0512c8980107fefa9c5a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95157deab71febcc6c991896ec56998a

SHA1
f255f7b30c4882a4ecd4b25085b440085a9d0cb1

SHA256
4f392e318a20b646aa26784a3e4af16ddcbdb6845977000f22693fd273675a36

SHA512
6bdce5a67e5fd2e13a36da1ba7d1f4f538e2119947971b6a47646a48c079fd4cc359bee7c91e2f76acea5ef357bd64536fbc48b7e12145718abf711901d8f2cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80f44192e68bfacb14cf710c68304b66

SHA1
4240ce00a2c4b91dcf1e5aeae2f51b69ba6a4c4b

SHA256
283941e87da677d8cae1770e52e513cfe398e4f62aac432d7cfb02b7627f007d

SHA512
0f85388c512b8498c3b82f5997353fc59f76e4e25d1b41d89d0c2b4db1b1ed407c31b3b2de5e79f38f969d7ce64efee58f8ff8f50a0a25e30e82657557698adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11ebb6b0a376630ea6cd39ea2c8d000a

SHA1
15d7856654a5c5f3363f6c814717484b5e70e96c

SHA256
dd05330af9b18d5bd3054e353e149e56e6a0f3ae55ce3fc307aa3e2513d427e5

SHA512
13371491ee794a9f2da70a109f1848e010726f72f8b91bbc1301c38877f3f5f32f8c312db7bb1bcae974a3886e2066f6f7667994af4b6e8c8b774a83b61d7f4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23aab5e6d3272f2bb9eeb07ff0766504

SHA1
ce44b2f8dc648236782f5dc0c9eff2b793de99ab

SHA256
eccf0cfb9f078ccde57a6df9f8b6a4f985cf63df0f9351e4d1c70ee59c5d301f

SHA512
e1c5ea348a843426772da8a7a921c3a1f31594c9de20a6be5d03c2169bbdccfc3cf553658f6a6af41fc8d8f2214f365449a834b934ecae4067b549b002c83c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8104cb05417ac5933f07bd7a0ff0c77e

SHA1
f02fd06768d6f4ceee90680957ede350e62fa599

SHA256
b0bce3739717c5e5cac239fd95d94268c0c196c6604fc68e05a71a7e46d6c882

SHA512
20a5a9e1f6a5ebed8a3ec85b30a00678df23d7dc64c41625d6e349bfd618e6960049e14f5c7419d05b3a6cee63ecf10fcc65df49e39a7026d27c8ee60f0945da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6654d1495c92aba23dd297ddcd273635

SHA1
9b64728c75d25179679922723bed165cf9029fc2

SHA256
31f2013c6afa4deecb84ee07ac46a12afe23f791b020b717b3f030d8c9d8343a

SHA512
4ac1b38be3d2542932f72bf787eea6ac989fd1d1627ad7dc65e33a893f21dfc538ee5d435df39c56e9c968c0ee3a1ae8a640da07b673fb3242ac70746a612b76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
956828176f7b04918c946651773825e3

SHA1
28b204821096d305bdd3606d39e6a2677f667f4d

SHA256
03979e9e37edab78f776508085c07e9165cd325e2e2f746b5f910d26fdf5a2da

SHA512
dae237647af3f875b1bc1afd1034c1e99b0ee186f20e88c326dff4f6b4fce4083994cdfb71e37ba4d2a3d0f8783558afb15bfa983994aceccb38296accbba2e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03998273afdcafbfc3c552e2692e3c1e

SHA1
b4493e7ef8c5b53163af0660935aebd15b5882d1

SHA256
49a9935c68ad70bf6621d72821c07fcd829ccc18cb7468fa6e8d95fa8e38b9ba

SHA512
65f04900f510f961230a6ce4e5289014cacd69f3448a546bf512c23a0b1d3c0a621fc0e9d549f395608330dcf7e27f0cd74146ca588f7dfcab7d57e620bb58bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e16d3b2a2ad2aafa693b9cdf7b6247e1

SHA1
b90d2e29015f45fa4cff497b5dae61ca7da7f5fc

SHA256
5c78e94c03b94036e893d8eb4d73770c73d865e8191e9f1cb198b15c3990b4fa

SHA512
8c2d328fe92e3e26b038b97dc9d5a9f9fef7e069153e40a46d86a50c1b7043cffeaa3b74b95d57e39fa1862e375c6c534d9e97d4fc98c3fe807530777c3e47d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11ad29fee748e0c1c990eb43277fb991

SHA1
3ba524e8a696978fbf1b8ad4ed0a073b71ce1b34

SHA256
bb3ea1256ba7bcb25cf5059d3f6b79f247af78e0c61268cc70374382325585c5

SHA512
d9028e014e88a05a15311154704b794f6dfde850e3bb48e9ed6aa6c938219bed017b363b85db3ac90bf9e4ca5d91eec7c284616a3fe751ee86703694e4bf6102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16366de509f1d48c59a7e487a596020e

SHA1
009f369717326b97949e7c73dd4cc41de73e011a

SHA256
3c64fa73be43581831e49b9162afde9468fd86d1860bb7092b59ee89e62d08a4

SHA512
2ca48e920eef22ce927ffcafbdeb8143a3b3101cab1cdf76c70ce0f42aea743e5b733e75979e3db1b57b8df9fd08bea061fedadb70e57ca2bffac92c5a06854e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f934d628893f69022f9ca2e41aa44aab

SHA1
05c81a55d93a14885a9db6e11526771eabf47acc

SHA256
5b75bc9ec8d70cb2f8b4f63adfed8561830657911f2b28c4a4809f28d256fdd0

SHA512
697abcf581f1e7660ee309f77b40013142090cbb1dc839988c94cb1723b29c33970aa32fcbdf2b3ea84c24f38ba89183efcd8f9c3dea44f1d7c37a7fde3e2d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adacf69cd810bb48f3db8cfb176f8c8c

SHA1
938cdb912484aa807226329cbee6ad6afccba722

SHA256
e98d1abdef3ea2b2e921bc2d9b94ce5203ad1070d61a9090b935b68cc1f6782e

SHA512
c2b6799757b8efcc1bbac7a0c629d8db7783f58c3b971165552ea0daf4972076c9e6a292026a31f840527ae359d22f8214cacb537bef964395e3e33b6ecd6b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29bb114e29971e9bbed926c43dfffe8c

SHA1
ac261a17e04d2f73491ebecc4422f3ab7bc2b39a

SHA256
359fb72925ad930459ccb87f1141e61a0c49f694982412bb1575cbfba56c3af0

SHA512
8e4861fa771a826c545be6e16fef0f20d435904af098d7d01aa265171aca4c4dccfc03842e8eb77a6b1f74e78b48b9f39a5d836f0a6d77f00959838a6eea13a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d252c05bbb70fd09820f303a37f90008

SHA1
2b29ca76d48cc2c54161f6940d2de68a59d4916a

SHA256
ed42f50cc10a32aa85cd60ce0ee9a3c30d0a1ec9dc9b591ac3e7058e838284c1

SHA512
5dfce6ef0f07fa89f997680d0048ae9598c3ef3439fc5b04a23da0a6ac9f00d9ca89591ea7f61490580f55f80b080e14797a40640e00f824c14d4b56ccafccb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72f31eb08bc74507be126a267911e9fc

SHA1
868f0671047116b0821da3746c1e881f13edfe5a

SHA256
2655a2ab393660205bc76a0f701a2d85303cd959ff5838e6fddbc8cc96c635d4

SHA512
87fda95e9e6a7d8e3bf1311e92166051668d435382851696a683c08434995b33f1f669edb986681e3d8956d8a8dce0b7d40412ca2482bd3815b02e491511c352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6d9c44d3b383c769277a0df508fe58b

SHA1
f47f3ba42fcc5cd8f8b5a5a18891fc6e2fc0500a

SHA256
65ecee779275198f297fbb58b5f7f2f4bade3cea203c3fa78f34eec44714063d

SHA512
b7359a1d569f46b8774158207dd11017845b8c06346a459381e1e3df346238f07cab6d723590634af77fe3dfd7c0d8e42161c3788c1cb825dd759b3f72c8574f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0ed21acd209b2704de22ff39efc5036

SHA1
16e889cd756b2d96b08a019e51c2f8ae5bdcbf61

SHA256
c6ad11c2250ab80ca2a6cdd1dbb2759dc81e315c5242415a7ee37387d417f1b9

SHA512
141e7e37ecac7b258ec6dfa118db90fcabaf2c2fe81428445c3abc122109e475248c2bc1e21cb41c6b5caca6fc1f4d666d045ea25c46299a5e30a3dcbcce5037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64ffc6ad0f646b81c890c76f632bb18d

SHA1
035c64faf3709d03cd9b850b1fdf4212de230861

SHA256
d9da7bc00866d212c9fccb6f006d43381950eb1147e4a4eba7144ca4b01faf07

SHA512
aaecacd65df4cfa044e804bf15703a300cf40451917ff296617849fd7ca40a2242b7900cbab455e03f182c552ebf2ebcbdaa204dbb9ea78a92045348ac1fe5cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e259efee430c24290bbc92073e5bcf2

SHA1
c37d9f02c3084e1b68f7778eda9818da95d988e7

SHA256
39953e25d82df3c5ec29a89159d63aaa7bca0e159ff76b7b27dd4f659737e081

SHA512
42a7a40f988d3463fccf3c52c95ac54fca1bf8cb3f8111a52d82c5dfcfb7e2bc779af252fa589c36032d73e1368f6cdac371c0c069fd6a4121961c2ddffc0b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H57AUUE9\default[2].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\default[1].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q3NPL6GJ\default[1].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q3NPL6GJ\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9D4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA06.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB30C.tmp

Filesize
29KB

MD5
ed81cbc3706d324d5d8db548f066605c

SHA1
a1f0b74540b755446d46df71e3fc92264371b3a5

SHA256
4cfab502e722fb6e1b22b91a5bdedea0af64adb490aa57f515ce97ad25a5e8e3

SHA512
88dde5f957f190db5e2cce7932c5727497ad9e93cb337848ea6410b81cb9a9da4d47afe868479d2d6913c2e1380fa990d041db63d47782f0386a00f6531e78d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8a979e5c45f6126a4c44bffe95f23cc8

SHA1
2679aeeb1e6fe3fb91d219d3a750cd9c681738c1

SHA256
2bf9a988224de65f3c2fa2e0b4331bc3e300e8a37bfaf152a3c675b801a90dea

SHA512
408ddeeea828671ff9e88297fa9c6d490bc6f6fef5fae378a7d01261bda5452f9d99596a580293385ebac68e720500df3bc1faa283b524419fd5d4f06d8f68a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
230a70b16a156090ec9c699a571bb0b2

SHA1
4212fefbb867fbf2453d293a007c6648bd48c626

SHA256
9bd858336a9cf75176dc73c22b3c93f53c241ebd615ce1acf59d68ab9d85710e

SHA512
d0957f59b5efee0ef52c58936989b1bd9a6602af6d5f11928992b7dad33518e923b45b25f6e3de310a04ead9c9e132e96c3d87a96e4d0b3c950c473285070eb6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2192-18-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2192-343-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2192-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2192-1886-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2192-2814-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2192-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2192-10-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2192-1162-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2192-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2192-19-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2192-3749-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2508-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-3758-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-1887-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-1163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-2815-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-344-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads