1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd

Analysis

max time kernel
83s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
Size

185KB
MD5

12a7a6b7340947a73230cc7de1de4eba
SHA1

1efc094ea417a757391818a3e457ffe3e7d4237b
SHA256

1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd
SHA512

29f563d2386dde480f3ca9e69b138458da1d291dc32c619c7d8f07c380cc06423c67b3588681c79a4643c6975095be835a061db224c2c803202df1ec7b794747
SSDEEP

3072:O5sPGQe5sX6dehxxjq0Fp2XAdff3+Jg/P44xpflta2c935ab0Q80f:PGtsDPOXAdff3CgzuzS

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1356-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1356-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1356-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Dism\DismHost.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\eventvwr.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\grpconv.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\msdt.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\msinfo32.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\net1.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\resmon.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\taskmgr.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\dxdiag.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\gpscript.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\scrnsave.scr	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\chcp.com-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\cmd.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\expand.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\logagent.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\mountvol.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\netbtugc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\esentutl.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\hh.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\runonce.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\Bubbles.scr	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\compact.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\doskey.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\timeout.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\choice.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\gpresult.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\NAPSTAT.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\psr.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\unlodctr.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\w32tm.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\svchost.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\autoconv.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\colorcpl.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\doskey.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\Magnify.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\netiougc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\notepad.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\setx.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\Dism.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\setupugc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\ARP.EXE	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\dvdplay.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\find.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\icacls.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\mode.com	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\mstsc.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\Mystify.scr	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\shrpubw.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\tree.com	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\drvinst.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe

Drops file in Program Files directory 64 IoCs

Processes:

1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7z.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jre7\bin\pack200.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\7-Zip\7zG.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\7-Zip\7zFM.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe

Drops file in Windows directory 64 IoCs

Processes:

1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe

description	ioc	process
File created	C:\Windows\ehome\ehrec.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-deployment_31bf3856ad364e35_6.1.7600.16385_none_57e3e87206ff08ca\setupugc.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_6.1.7600.16385_none_b70694aa97134f37\rdrleakdiag.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_5aaf419e398215df\mighost.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_31ae00ebd2fb34b5\icardagt.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-wizard_31bf3856ad364e35_6.1.7600.16385_none_7680aa7b6195f2c6\DVDMaker.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnputil_31bf3856ad364e35_6.1.7600.16385_none_5958b438d6388d15\PnPutil.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_e6fcbd244bb7bf74\openfiles.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskkill_31bf3856ad364e35_6.1.7600.16385_none_25545528bd642170\taskkill.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\ehome\Mcx2Prov.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehmsas_31bf3856ad364e35_6.1.7600.16385_none_8707c620868fdf75\ehmsas.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sethc_31bf3856ad364e35_6.1.7601.17514_none_c0e644688bbad892\sethc.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-xcopy_31bf3856ad364e35_6.1.7600.16385_none_beea9c500dfd4622\xcopy.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_2831d06e8295c671\upnpcont.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\Setup.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\ehome\ehmsas.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_f217bd1caebaa683\driverquery.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmpshare.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_6.1.7601.17514_none_12d42225a9a7aef7\showmount.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PING.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-processmodel_31bf3856ad364e35_6.1.7601.17514_none_14e7939dbb62df13\w3wp.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sxs_31bf3856ad364e35_6.1.7601.17514_none_b0540607b5e5d445\sxstrace.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\ROUTE.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_netfx-vb_compiler_b03f5f7f11d50a3a_6.1.7601.17514_none_cc9e34fd4e687b15\vbc.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..mplus-admin-comrepl_31bf3856ad364e35_6.1.7600.16385_none_45fe6fe8a9201e55\comrepl.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\umount.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-japanese-migration_31bf3856ad364e35_6.1.7600.16385_none_0e3c9ce5e73a7257\imjppdmg.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_5e7ff93b6f0000b7\Dism.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\relog.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_40d0db63344deff9\SystemPropertiesHardware.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-waitfor_31bf3856ad364e35_6.1.7600.16385_none_b63c0c04dc872e59\waitfor.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-es-authentication_31bf3856ad364e35_6.1.7600.16385_none_419312c477ec702a\EhStorAuthn.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_6.1.7600.16385_none_2370c162e00680c3\Defrag.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mapi_31bf3856ad364e35_6.1.7601.17514_none_097346be305f3966\fixmapi.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\SnippingTool.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ipconfig_31bf3856ad364e35_6.1.7600.16385_none_4c104723794237c2\ipconfig.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\ehome\ehmsas.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\CISVC.EXE-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_7920b60d569a4a1e\wmlaunch.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-telnet-server-tlntsvr_31bf3856ad364e35_6.1.7600.16385_none_1ab997fb0a83afdd\tlntsvr.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedt32.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-directplay4_31bf3856ad364e35_6.1.7600.16385_none_76e6c1802136b090\dplaysvr.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_c9b9bfc685ed05d3\SystemPropertiesDataExecutionPrevention.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_bf7bea0454c3f0cf\bcdboot.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_fafb502abef1be40\convert.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb\hh.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigSetup.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\diskperf.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.1.7601.17514_none_cde4c4fd7ab159cb\RMActivate_ssp.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe-	1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe

C:\Users\Admin\AppData\Local\Temp\1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe
"C:\Users\Admin\AppData\Local\Temp\1c63d7ab62bcf6a0446b9cd137051451c5485874dbc750d0a96fd8439a011dcd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1356

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1356-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1356-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads