f10ae8278080ab1748d8e114ce5a0a499a9016b55993a83e65c40a7dc40d258f

Analysis

max time kernel
166s
max time network
185s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
Size

734KB
MD5

ddae517813533ff8cfb81a1187fcb6d0
SHA1

3e9d0bcab5d94967d5adcfe00a45f46052fe9a9a
SHA256

f10ae8278080ab1748d8e114ce5a0a499a9016b55993a83e65c40a7dc40d258f
SHA512

93c7eaed105d56a78c34d50ef2d1f27de0602271e3d4009d3036cee4c5e48c74bdd34a1d177e220ce42fb4e721839d4efe964b6d30fc6c66e356ed8c8d1bf87d
SSDEEP

12288:UxazIxzq/TymWfc/vQMeBDajRIO3iSw1+oKJt:Uxazszq/TymWfc/IMYciSw1jKJt

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fc.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\lodctr.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\RMActivate.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\upnpcont.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\pcaui.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\WerFault.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\auditpol.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\cacls.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\tree.com_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\autoconv.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\calc.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\waitfor.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\tree.com	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\verclsid.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\wscript.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\comp.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\newdev.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\RpcPing.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\tasklist.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\fontview.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\PushPrinterConnections.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\sethc.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\systeminfo.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\finger.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\mspaint.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\timeout.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\fsutil.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\gpscript.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\winver.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\chkntfs.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\efsui.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\eventcreate.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\diskcomp.com_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\cliconfg.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\dcomcnfg.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\cmdkey.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\extrac32.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\msiexec.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\Utilman.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\wimserv.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\wusa.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\chkntfs.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\diskcopy.com_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\poqexec.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\scrnsave.scr	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\TpmInit.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\mtstocom.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\attrib.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Google\Update\Install\{387F9655-B359-4E61-88ED-DE7E1B79B653}\chrome_installer.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Journal\Journal.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jre7\bin\java-rmi.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcweblauncher_31bf3856ad364e35_6.1.7600.16385_none_5846a8771b202706\MediaCenterWebLauncher.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_46d2efef53c02386\iexpress.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_431b58a8041530aa\openfiles.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-certificaterequesttool_31bf3856ad364e35_6.1.7600.16385_none_67e6e9a778bbd9d5\certreq.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\attrib.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_40d0db63344deff9\SystemPropertiesHardware.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ion-twaincomponents_31bf3856ad364e35_6.1.7601.17514_none_8b399e33ba72bed9\twunk_16.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_bbdd3aeb771e694e\runas.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_6.1.7601.17514_none_f1fca1ab90570e8a\MdSched.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnpui_31bf3856ad364e35_6.1.7600.16385_none_bacc830144fa7791\dinotify.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-ui_31bf3856ad364e35_6.1.7600.16385_none_0c9cb55c61e99805\dcomcnfg.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_9edcb4a706944d0a\convert.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_e6af0acbde467b7b\aspnet_regiis.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\WindowsAnytimeUpgradeui.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\msil_wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_dd3a06567424a01b\WsatConfig.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_d5b4f96cdbb9a8b1\IMJPDSVR.EXE_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\ROUTE.EXE-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_3.5.7600.16385_none_8c3cf176a8e91487\MSBuild.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-restartmanager_31bf3856ad364e35_6.1.7600.16385_none_800bbdee85723191\RmClient.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\HelpPane.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\ImagingDevices.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_8.0.7601.17514_none_7a9a2f07e4e23a48\ConfigureIEOptionalComponents.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\appcmd.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicepackcoordinator_31bf3856ad364e35_6.1.7601.17514_none_92e727843e307e1b\spreview.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21863_none_6e8a5c3d2bac37e9\ntkrnlpa.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.1.7601.17514_none_d4c5c995fb3f4a1b\audiodg.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\resmon.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskkill_31bf3856ad364e35_6.1.7600.16385_none_25545528bd642170\taskkill.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-calc_31bf3856ad364e35_6.1.7600.16385_none_05b2f2e2346cfea4\calc.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\IMCCPHR.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_782d737490d72da3\regsvr32.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\IMCCPHR.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\mtstocom.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_state_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_0df703f36aac2f13\aspnet_state.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff\sdbinst.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_6e37cb8c12652b73\ntkrnlpa.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wabmig.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\ehome\mcupdate.exe	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_fbcfa2528586252f\credwiz.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wusa_31bf3856ad364e35_6.1.7601.17514_none_0b2696ec2f3c656d\wusa.exe_	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_d5642974be118415\notepad.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
File created	C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\SearchFilterHost.exe-	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406333891"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000f1a0c98fb3552e12624430479441969ef54e2862df327af4bba5aeef1cdfebd8000000000e800000000200002000000098974fa604e4731260ecee8839df1c61be70f93661d662664e6bedccf5863a0e90000000f0d4eee9bbd6cb67a6085338f995655a0a40f02d982939d34fa8f8e9a0109b62bd1e92b279ff10431a3aea1f9c450ad80d4b9a4db512ee68c3a983ff9aff241db34784cfe7d44e80d0047ec0cb1e33885bd0f20b8254158ef6909dad6ec2a11aa1eddc1301bf061d8a8fb979a0accba339e62ca2bc31f3a9de1026c7a206a86b4af53610fed7370695b73e0b4d1b138b40000000528c792e4a31b9b7f2ff6fd4bd31657411b5ca2d1ec662219b0e0b9af921c05475f80f9331b2a1b5f6df25d53367a0f341e1f1b55fe8b4534b9cbb963686882f	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90180f62d818da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f540000000002000000000010660000000100002000000029dd781a5470f1b6f2e40ef80968ee1472ec27b5645752220a8f7d31874cdd21000000000e8000000002000020000000fdd9ea287cdd18ceb04610f8bcd8b02af814bf9bd99785b74537b7d7d067d02b200000005c93f8ee5d7236b5897cd03b86a26de23eaf3347e556673099fff41de529d8a340000000d08752cce9d762599ce693f4e5c0ce5bdafef9a8a2d6b1aed9694d4c01b99c0285bcc977a3ea356599b8d5be7373ef26e3b3296d12ad3a8bedff269eea79e2f3	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84F8F601-84CB-11EE-B37F-463E77455252} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2280	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2280	IEXPLORE.exe
2280	IEXPLORE.exe
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2280	1816	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe	27
PID 1816 wrote to memory of 2280	1816	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe	27
PID 1816 wrote to memory of 2280	1816	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe	27
PID 1816 wrote to memory of 2280	1816	NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe	27
PID 2280 wrote to memory of 2872	2280	IEXPLORE.exe	29
PID 2280 wrote to memory of 2872	2280	IEXPLORE.exe	29
PID 2280 wrote to memory of 2872	2280	IEXPLORE.exe	29
PID 2280 wrote to memory of 2872	2280	IEXPLORE.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ddae517813533ff8cfb81a1187fcb6d0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
880KB

MD5
5c77784e195c81143db29e7f270538d2

SHA1
f881877c35db3a7c499702479d84dd0c7051c0c7

SHA256
f9873f9d4b4c9ae3df1c0614fabe11fef50e3bd61522040938460164f7763570

SHA512
3ec91cba584a19962185c870ba338d051d7cd35e40be2f040cf6a8950d8034fce25d1a1c59a8d93933daca78a703c07169cc09b621a67945eb3e836321b31bc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92fdb5b580094614ef9220f32f574d11

SHA1
00b66a9bbc9a692453617415069c4b657c9d527c

SHA256
a1e80478543241ac9b7e42f11840bc647e8f2254e8e0ffba8f7a78c642e20ff8

SHA512
c50a3d4c286e95498334a9f9f36ca837da3ccc970a1b046e3d7423a48c0bcfe03c77da5b00c2640fa5b8c4ae14d024530fb4788f63970824d11d129b8e4e87e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec16485c28e88b2078eab8daeae9cca8

SHA1
92af64d9df03b60252a9bf09635a6056e16ddd60

SHA256
db3c491118624f031a2fc6d07509ba96be9cf68d1eef6e42467d97b187f804ae

SHA512
45ecc542cdfe9aa84f6a260b0f8268841becacd31a13691d6f3f7efe6433bdc2d7a26476edcea67249e595bf34d61e897666025bb529ef2a3d432acae9a00007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51fce522e773d99e171b7d6f59c25830

SHA1
8af2a23685cfbac621ae5125fc931664d064017c

SHA256
9faf4414d31d22651e06b332380e1a9935d5fb0bbe19bdde11b57badba054f27

SHA512
1ddebaec62f390b8935a038a5614aba37744e561644a103946a8310b7dabd16cbd4c5f19564a0ef3643bd7edd2b69838c41d2deb5d1b15fd1df4ce3455656985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00360f2743daa1f1c4dd2687f93bf59f

SHA1
276a36260d65393e5c08ff4e4c6dc9d8df574961

SHA256
49e7307c931772f2d2d5022f5cce3c371005ee0dfe31f9b2c5c5089b542b3c76

SHA512
c06c8107459d69cd34669e5cee4b2d455e9729f980afbcfa7172f5fe7fd0c67d7f23bae0e89935b94ad9bb8dedf84cfd13c146251ba24a63a99734ff5a0be937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2aa1f4983fcf8b28d477cf898f946bc8

SHA1
10eab8a234a8a21dab4f146bb5645c01abe5936e

SHA256
0b7661a60cb1d361a46814b83310208bda790af6347ce24420162320936f4a33

SHA512
0117a3965fd22e2bc4d6e1bf6876158ac8c98d4c12421baaa69df5a773d684a1bdd364f19b9403fbba50259eefdab96db9b39a7d6f96aceadb39992a37ab1649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e53d8b77db3660597495536cc7b8ad3d

SHA1
33fed5828447b0dac9bdea95b43b7c009f33d612

SHA256
ce0141a8bf0c3da4c95b40b5b7d1f4d6bfc4cbb7879387d8928b949b2299cd52

SHA512
288b82256f59710c9933c66e0c414e5e500b6048b8b956795b1f0b62ee5e2266877d43aa3b0505e15ad4a89022f96b76fb47d3d29b7f711f8703ac8b4ae277e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d89c69ec3e2cdeeecb6ee16cb3810d6c

SHA1
008d6b055ee7dc32faad594c19f0e4da303e1c9d

SHA256
4fe4fc61a76c09855a347f95d608f13590dea1f17648f908fddd661ba0df12d0

SHA512
8780ab12335f9152ef730714e24c1b7cedf66d4dfc0509ddd4700acefecd46c384b82565402a713c52c5d912b40faae382b864c32bfe6a2cdaffaab7753ce537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89d621cf1cd4271ba3e3f24f83e8e05f

SHA1
f8b13c29a6ab27ee39cde234e4ab7d3e754eee25

SHA256
e8e7ff620bd3a805b1592d594b80de1abc8207f28508e771aa2826f12d2e8f7b

SHA512
432ccc34853f5d3d3e133cf11a052449c65a9a6edf71c55088007607e52bf6f942b81abe24a4be9752677f1c1f1dc0783d0e862ffb0322b35f86191a7def867e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5de948fcf06aa5e6c3abc2b2033f78ed

SHA1
2c5bb430984ce1c52a5304a0d98cec8dd6cc49f0

SHA256
81bc1e30226f117815e86de18c8cf01465b0b24d2a91285c705f5ba2bb4566c4

SHA512
300481f1c4874d405d4abcc3ff8df5ce2b724ebb0c17c31ad5acb94532f447a6aed0e88e5c9f7450ef4ff0874d636c414a11dfa59f4fff20854c0cdfeed1c6f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf362c4ca57e91a933114553685a9b52

SHA1
3a485561a63219b0b496caf1fca79be5d4e70087

SHA256
cb43f5e1f2523191e19b2ebc1891dcb10f109c1128a1530d4b61e435a5f7631d

SHA512
29846ad688f381589f73332c8f7060c310ffae323fcd62fa97fbbb1282606a4fd315b6104d70d4c42986a3175fbfbedd1a46191c7f4ac3245a96d54f1e55ade8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af9b622c076ae5b663bc907cfda80304

SHA1
89d0119d8c046501e0aeaa2110b5f2253632ac5f

SHA256
0edb353d850fd435dcc7501c244787f6042a1e271aac070ad5c5842c13448896

SHA512
50b9f75a56f1e565de0ee7c2661d257ac1955ac14699258cb55e5b8b02313f0436b5dcbeec88c0b6135b631166649ffc2afdbbb57ebe82793aac163061f3e4b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50500595b658c3e5743d645369504ddb

SHA1
2ecf3c57be08244f9b881111ac1dfb08de855a75

SHA256
5dce7f03cb4a0b4453bc5dcf7024400366f1942622771eb9d664cf955e3555c1

SHA512
51e5fcd22daa18d369239054f8453a01ac47ce6ec6a0a686afce22f2206ac1e360ee69e62db09cc00e49e438c1f07ebee1e36a5d1eed2b1defab133169039dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3e1b9427a200647b4a9b3c24e724112

SHA1
235ece401957ede5f03f6bd6abebf1956018a64c

SHA256
0a6aee8e56eea7562d766453ce76664339cb2b43e17145344ebfabe58e8bd4f9

SHA512
c6106ab98aa4435d1718808e9e52afc2e0771b294f66b26e693900094a06ec84ce9baae83f774d6a4d785a14eafb18fab7ab9a5f63c9ecf0b6128fecc51f40c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08a3c5ec7c14dd10ffdff0d64bf888d1

SHA1
309a5e13e6de92319ea9d3e4c56433f497edde80

SHA256
904dd0eefcf1811e459be2582639b2774ce3a785e675ec7cb6e6ed4350dd6aa6

SHA512
97fc9a971d03d6d30458f495608f378db28ec1b2e602e1c295096f9e48b568830883cc1dadbe8b19f68b0121cf337dfd9d4723ba81866f208d302fb5304112f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72b552581d48f03e5e6c775dbeb387bc

SHA1
fa72a83701173fd40ea10f90260ceaf88395c750

SHA256
2adbcb3c2c3e2fb72e827c32a06571618e23755f7805eb351e9abaeda0ad4395

SHA512
dabfb2d00b241afd56407a4df5bd9e2e89638c91022d5c19bd55e41546da6687ab7d9eaf1c2f35069388a445c9a62a9a3b5386ee0f2f78a7ebcf67aac53c0da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c208a50d110cb3619da81778556b66e

SHA1
b9dbef8d617026106cfec231d34531460c928ba1

SHA256
844be23f624217db41e07e6e8df9649be7682322fb7a3db89b267f357dd48c16

SHA512
5b3a8bfde06a32be62449044ca694a04a4c182e02f32a653d8b4ae2b4f7af1087544c25dd344edb11eca8912b12ba6e5bb9e8e0b6fdab6da35f27db23e89149d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4175afc65441c02e72602ceafec12c1

SHA1
298548833284f6ff537255dc5d7148db94eaa5d4

SHA256
c7baa206300df01b02ad9c27e39e92bb5948c7d6d0cc8051e2c9582bbbcda30c

SHA512
ccf58908da36f3afba789a83fbdecf06285c7f3108e56fd84192591093d81638c18b71ec9d22038e70a65938027783d7dea8bb404d1a834d55081d7eac390b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0eaff770c5651c3fcf6a0b76613f689

SHA1
e2381777c32d1ff99c2887d36dfe20cadc0bbec4

SHA256
312d8e5ed7f68e28a0f5b951b50f62f7ba4e9439abeb567fd16375eee7c2b155

SHA512
0ab6c5307b5537d3307c67a96ad3efedf94c7e182e0cc40a36fc2d54cd5d347ec804c2aa02a6e2514fe50d4a19e93992eea607f23232f57cd2e9fd9c9a2274cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea12e8b627aa344bdf8249625afebc5f

SHA1
b6282e797682995cd8ad16d3121cdca611c3be3d

SHA256
f139ab7a65077717bc259b82b71de57b84402662e2cedbfd04d9e079261e3839

SHA512
9686fe97ae90b63135c47f4fafd6fe41d6c911a35b50bbb8d8ce1af95b076c501a8698008e9e7740661306423965b664ca4d75375bfd66c200ad2040d8b104a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE503.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5E2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/1816-2004-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1816-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads