5107d5b9da6e5e27baec355c7057bd8e8e75203d65cab78e0912ae123d3ece62

Analysis

max time kernel
155s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6a74768de5035c243e3ddb22769eb410.exe
Size

1.1MB
MD5

6a74768de5035c243e3ddb22769eb410
SHA1

a5bbda1281b578821266be63cc75cc6d410443fd
SHA256

5107d5b9da6e5e27baec355c7057bd8e8e75203d65cab78e0912ae123d3ece62
SHA512

b3246ac93819c36e82f35449d4d75a967c22806423e9d9ba1248da80bb64de8295f5aa803b1d025a9c9d7d6c45b5af33c466ca9a5876b98672b5724b8d3e5bf8
SSDEEP

24576:65jcAkSYqyEZYTqMi8CtBd2QHCHmTBW5mT3:gpYqQqJtb2Iz

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1252-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0008000000022d58-5.dat	upx
behavioral2/memory/1252-610-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-1246-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-1359-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-1593-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-1639-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-1900-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-2696-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-3914-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-4290-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-4291-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-4292-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-4293-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1252-4295-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\ByteCodeGenerator.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\hh.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\msra.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\w32tm.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\sethc.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\tttracer.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\rundll32.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\WPDShextAutoplay.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\cacls.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\iexpress.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\winrshost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\attrib.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\TSTheme.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\wowreg32.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\cmd.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\gpupdate.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\tzutil.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\wecutil.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\icsunattend.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\mstsc.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\psr.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\RdpSaUacHelper.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\shutdown.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\verifiergui.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\iscsicli.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\poqexec.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\tree.com-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\w32tm.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\cmd.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\dvdplay.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\netbtugc.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\regedit.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\Dism.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\Taskmgr.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\wowreg32.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\waitfor.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\xwizard.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\cmmon32.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\finger.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\icsunattend.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\mode.com-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\ndadmin.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\prevhost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\runas.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\CloudNotifications.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{413231AA-9CB1-48F6-8F03-FAD29C1C9B35}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeComRegisterShellARM64.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateBroker.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\FXSCOVER.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_198d8d483aa30ed0\f\gpupdate.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\r\CertEnrollCtrl.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\f\explorer.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-setspn_31bf3856ad364e35_10.0.19041.1_none_35f6aeed7d8158f9\setspn.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\r\usocoreworker.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_e4e5027bf1e82209\f\WerFault.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.19041.746_none_49c7c9a4b745444e\PhotoScreensaver.scr-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_e73f0197262d9fec\TiFileFetcher.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_10.0.19041.746_none_cc5cbb9556301da3\WMPDMC.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\r\WindowsSandboxClient.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\logman.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.153_none_59d1094dec9b8480\f\Spectrum.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\f\DataExchangeHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\r\FXSCOVER.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\regedt32.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1_none_20dbe0239a0c22b4\vdsldr.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..cquisition-wiawow64_31bf3856ad364e35_10.0.19041.1_none_827105fe900187d1\wiawow64.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1060d2d22df7c6eb\r\WWAHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\f\SenseCncProxy.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\ScriptRunner.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_b2fd45ddd475eb50\ngen.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..teelevatedinstaller_31bf3856ad364e35_10.0.19041.1_none_3b7fdf76aa8cfd53\WindowsUpdateElevatedInstaller.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-capturepicker.appxmain_31bf3856ad364e35_10.0.19041.423_none_12ca604b48f8d3fb\f\CapturePicker.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..frameworks-usermode_31bf3856ad364e35_10.0.19041.1_none_53029e0f94a11c6d\WUDFCompanionHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ls-adschemaanalyzer_31bf3856ad364e35_10.0.19041.1_none_89e9f21ed63037f6\ADSchemaAnalyzer.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\r\lpksetup.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_a5a5fe7757df26e3\NcsiUwpApp.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1266_none_ba0845abb58c8bdd\BioIso.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_10.0.19041.1_none_77b40a18a99e4f02\csc.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_72f9f7c7a1b307dd\f\TpmTool.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_71d7deb9b2d1d29b\verclsid.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..csengine-nativehost_31bf3856ad364e35_10.0.19041.1_none_d016f232fbeefbad\sdiagnhost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.1_none_4fb50fb329007a5d\SnippingTool.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\f\UNPUXHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\r\unsecapp.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\f\WmsSvc.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\r\VmComputeAgent.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_5aba1063745f6e01\f\autofmt.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..directplay8-payload_31bf3856ad364e35_10.0.19041.1_none_b970f5eb6342eadb\dpnsvr.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-ui_31bf3856ad364e35_10.0.19041.746_none_2c2bcd67e9d4665c\r\FileHistory.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\f\rasdial.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\PrintDialog\PrintDialog.exe	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_56b9c0cf76f27918\autochk.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\r\WpcTok.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_wpf-xamlviewer_31bf3856ad364e35_10.0.19041.1_none_0bff5a051c4a690a\XamlViewer_v0300.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..eapplifetimemanager_31bf3856ad364e35_10.0.19041.746_none_45062eb997366a7f\f\RemoteAppLifetimeManager.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_b30156e32b833fb0\Microsoft.ECApp.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1_none_52c6583f47afba7a\convert.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_512e9d368c70b758\f\iexplore.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_8fc08423f52c1606\wmlaunch.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-openfiles_31bf3856ad364e35_10.0.19041.1_none_9d17748489c1b07e\openfiles.exe-	NEAS.6a74768de5035c243e3ddb22769eb410.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.6a74768de5035c243e3ddb22769eb410.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6a74768de5035c243e3ddb22769eb410.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\office2016setup.exe-

Filesize
6.2MB

MD5
adc35bf1d9085fb39962a4f2d53e9b1d

SHA1
c9473e3751dc822c3af6006714f4645bf6f5b803

SHA256
3bc177ef7c389c5403eb9ac8180d14db69f28812eb25cea3fc60fce32dd21876

SHA512
61b3ae19a320fcccbaa08f6d70958b5d293572da3434564b110988c106ed61f731806597b1f03d3b198850967f5771e11b6883239e83eb94ccb1e2bdf24a1905

Download Submit
memory/1252-1639-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-610-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-1246-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-1359-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-1593-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-1900-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-2696-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-3914-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-4290-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-4291-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-4292-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-4293-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-4295-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download