f0e9ee9f8c122409ba0f4b395c16be5a118401c5b1a8a7951834ceea1fff7d48

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.765aa280d01694d4a764522d4d59d9c0.exe
Size

1.7MB
MD5

765aa280d01694d4a764522d4d59d9c0
SHA1

c0d55dc5a0495408c72ebf5f0e48f3b02b540265
SHA256

f0e9ee9f8c122409ba0f4b395c16be5a118401c5b1a8a7951834ceea1fff7d48
SHA512

5320382bf429755198befb0ef0af6ba583487903d4ab1ceae2d82a27d12b8e81b4a888e0ee424ae222e2bd4bf747556c01927ee85fc7e33fd5ea940b1898e589
SSDEEP

24576:65jcAkSYqyEZYTqMi8CtBd2QHCHmTBW5cANw243nFMYciSw1jKJS:gpYqQqJtb2I7ew2EFjhSmjKJS

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3452-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x00040000000006e5-5.dat	upx
behavioral2/memory/3452-402-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-1036-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-1355-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-1360-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-1554-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-1635-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-1641-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-2429-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-2862-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-3828-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-4267-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-4268-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-4269-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3452-4270-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\doskey.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\InfDefaultInstall.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\user.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\mode.com	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\regsvr32.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\wextract.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\recover.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\expand.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\UserAccountBroker.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\netbtugc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\regsvr32.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\Utilman.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\fc.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\isoburn.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\mode.com-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\certutil.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\dpapimig.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\mountvol.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\grpconv.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\prevhost.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\choice.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\explorer.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\forfiles.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\wecutil.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\where.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\WPDShextAutoplay.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\upnpcont.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\agentactivationruntimestarter.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\extrac32.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\poqexec.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\msdt.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\upnpcont.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\winver.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\wscadminui.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\auditpol.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\ByteCodeGenerator.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\eudcedit.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\cttune.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\OneDriveSetup.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\SettingSyncHost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\OpenWith.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\RMActivate.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\icacls.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\icsunattend.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\MicrosoftEdgeComRegisterShellARM64.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\show_third_party_software_licenses.bat-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\AppVShNotify.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\r\fixmapi.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\relog.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.1202_none_024525bdc81df50d\VmComputeAgent.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1_none_8591bd54bdb2be6f\AtBroker.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.1_none_51b7888297a3c04e\LocationNotificationWindows.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1_none_52c6583f47afba7a\autoconv.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7000e6adf00c3d30\r\CloudNotifications.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.1202_none_b918e36ffc7a6ffe\f\ShellLauncherConfig.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_10.0.19041.1_none_1058f7ab971a5799\WMSvc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\hvix64.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\r\winload.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-omadmclient_31bf3856ad364e35_10.0.19041.1151_none_c86feb6936a97173\f\omadmclient.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.746_none_a47144c464d15475\WSReset.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-browser-brokers_31bf3856ad364e35_11.0.19041.746_none_581ccf386ba57d51\browserexport.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dispdiag_31bf3856ad364e35_10.0.19041.1_none_fad576d8cf74b38a\dispdiag.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..client-ui-wscollect_31bf3856ad364e35_10.0.19041.746_none_e7acb2599054dc72\f\WSCollect.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_10.0.19041.746_none_cdf422107d2779cf\r\cttunesvr.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1_none_233543e4fce957ae\cleanmgr.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..tx-dxgiadaptercache_31bf3856ad364e35_10.0.19041.84_none_9f3e49455f52d8f7\dxgiadaptercache.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\fixmapi.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\f\wmplayer.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\f\vmcompute.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\CallingShellApp.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3594628932065f23\f\wevtutil.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\wmplayer.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\pcwrun.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\rmttpmvscmgrsvr.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\windeploy.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_40d14f6c04397868\agentactivationruntimestarter.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.746_none_1c0a97992f105d4b\f\bootim.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.1202_none_42d3a7d52bcb0f8d\r\WorkFolders.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\ScriptRunner.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_10.0.19041.1202_none_fceb29af5a61f7e6\f\bcdedit.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.19041.1_none_c2078a8db9a59aef\bootcfg.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-getmac_31bf3856ad364e35_10.0.19041.1_none_c1efa43e415898e4\getmac.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\AppVShNotify.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.1_none_bd38794249e3d110\LockScreenContentServer.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\UevTemplateConfigItemGenerator.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-openfiles_31bf3856ad364e35_10.0.19041.1_none_9d17748489c1b07e\openfiles.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.1_none_e2f75fda217d5015\hvc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-c..periencehost-broker_31bf3856ad364e35_10.0.19041.746_none_1ce3c0f12fb5f8ec\r\CloudExperienceHostBroker.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\Microsoft.Uev.SyncController.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1_none_3640cf5b039ce2f0\DiskSnapshot.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_10.0.19041.1_none_3dc4aae45a75023d\InetMgr.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_c42bf1ebf80a8661\r\isoburn.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.153_none_ff44cfa7cb529ce3\lpremove.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\f\directxdatabaseupdater.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\rasphone.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\f\MdmDiagnosticsTool.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\r\printfilterpipelinesvc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\f\CustomShellHost.exe-	NEAS.765aa280d01694d4a764522d4d59d9c0.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.765aa280d01694d4a764522d4d59d9c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.765aa280d01694d4a764522d4d59d9c0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\office2016setup.exe-

Filesize
6.8MB

MD5
1afa023c4e1db4834713a39435e58dd0

SHA1
21b595d3684dd557dc85150efd81c4abe643d51d

SHA256
a76478999e32ba1619254be2b4eebd28818f6da1966b25d26d7da6043ed75dea

SHA512
a341d06d223e1a486b981964a833a0c0c9d423cdc087892ea8fd305611ed74cc71f2483430960a86ddce4716500274a502445a53230c04f2c505df5ff34d7f54

Download Submit
memory/3452-1641-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-3828-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-1036-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-1355-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-1360-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-1554-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-402-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-2429-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-1635-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-2862-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-4267-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-4268-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-4269-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3452-4270-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download