3c5397dd383ee8ccf3a11213da135dd85f62fb34a58ca8c07ae3d50f27aec4c3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 09:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b865fbcef3e561a7fc39713e5293291d.exe
Size

1.7MB
MD5

b865fbcef3e561a7fc39713e5293291d
SHA1

47a7f0942edc5ebd5ea50072232876220de31874
SHA256

3c5397dd383ee8ccf3a11213da135dd85f62fb34a58ca8c07ae3d50f27aec4c3
SHA512

ab5076b857dd02c02b16b64df6cbcaeaf0f1487c82d1bbe6779a09a7926dcc304747d338c19ba3128471f6778e1367fa9e083c1c433b5f367a4e0f42f564bccd
SSDEEP

24576:yxbW8GBU4FQ7pkCPYJLr6wMfqQzQq2oBrjjkOMrhrEGOivIQ:yxxGS4i7pkCPYFOwazQq2YhkEGOiv7

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1884-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000700000001ebc7-5.dat	upx
behavioral2/memory/1884-2103-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1884-4278-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1884-4279-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1884-4283-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\auditpol.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\SecEdit.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\verifiergui.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\Com\MigRegDB.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\ktmutil.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\makecab.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\net.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\stordiag.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\EaseOfAccessDialog.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\timeout.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\typeperf.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\newdev.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\chcp.com-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\Com\comrepl.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\ktmutil.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\rasdial.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\SndVol.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\tasklist.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\curl.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\find.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\fsutil.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\openfiles.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\sxstrace.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\Magnify.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\mspaint.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\whoami.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\chkdsk.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\Dism.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\mountvol.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\RMActivate.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\RmClient.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\SyncHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\pcaui.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\PickerHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\regini.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\regsvr32.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\backgroundTaskHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\convert.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\dllhost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\dpapimig.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\fsquirt.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\RmClient.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\systeminfo.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\tracerpt.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe-	b865fbcef3e561a7fc39713e5293291d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe-	b865fbcef3e561a7fc39713e5293291d.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\SgrmBroker.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\r\SenseCncProxy.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.264_none_9b70177c85a8df54\mavinject.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\r\ImeBroker.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_1d907c422e447b14\dsdbutil.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\f\autofmt.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_556ba5d1df8130ac\f\printui.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_f7c1402f08d2457a\f\mmc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_4c95cf26b3aa5907\r\CredentialUIBroker.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleExperienceHost.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\splwow64.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\Robocopy.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.1_none_f58a3da76ed0f251\dsdbutil.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\r\WpcMon.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.1151_none_d57e154a0a8460d3\r\pacjsworker.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_10.0.19041.1_none_7e723dd43021c2d3\ImagingDevices.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-c..periencehost-broker_31bf3856ad364e35_10.0.19041.1_none_f4db83a870443aa2\CloudExperienceHostBroker.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_10.0.19041.1202_none_fceb29af5a61f7e6\f\bcdedit.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_18784aba5fcd68cc\r\TokenBrokerCookies.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\Temp\PendingDeletes\caae464736e5d7017ea100001815341f.InetMgr6.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.117_none_610933d42d963a44\f\wsl.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.173_none_f837263e7fdd508f\f\sppsvc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.546_none_70569b662ddb706c\r\CameraBarcodeScannerPreview.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiFileFetcher.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\Temp\PendingDeletes\a267614236e5d701639700001815341f.UwfServicingSvc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\hvc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\IMEPADSV.EXE-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.117_none_1db60e061b48335a\r\bash.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.19041.844_none_52d476a2172491b6\provlaunch.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.117_none_975feef459c69d6b\CheckNetIsolation.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\winload.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\WSManHTTPConfig.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\Temp\PendingDeletes\8e36994536e5d701189b00001815341f.iisreset.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_51891893184281d8\LaunchWinApp.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_10.0.19041.844_none_f3894559140c31d7\imjpuexc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\f\ByteCodeGenerator.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsirpcd.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d\netiougc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.423_none_81cc87a43da05fd1\control.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1_none_6df323382219b604\PickerHost.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..s-mdac-odbcconf-exe_31bf3856ad364e35_10.0.19041.1_none_67494c7cd91d4b47\odbcconf.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\f\winload.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\MdmDiagnosticsTool.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1_none_f35caf2131abed9a\lsass.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\vmcompute.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\r\wslconfig.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.1202_none_fdbbcf53ca14e151\f\wimserv.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_netfx-dfsvc_b03f5f7f11d50a3a_10.0.19041.1_none_833d086e8f306c45\dfsvc.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_9204c42a031e28cf\f\iissetup.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ostic-user-resolver_31bf3856ad364e35_10.0.19041.1_none_7b261299a50c8282\DFDWiz.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\amd64_multimedia-rrinstaller_31bf3856ad364e35_10.0.19041.1_none_c8deb9da2cb2458a\rrinstaller.exe-	b865fbcef3e561a7fc39713e5293291d.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_91c1d6c40350b1b6\appcmd.exe-	b865fbcef3e561a7fc39713e5293291d.exe

C:\Users\Admin\AppData\Local\Temp\b865fbcef3e561a7fc39713e5293291d.exe
"C:\Users\Admin\AppData\Local\Temp\b865fbcef3e561a7fc39713e5293291d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\office2016setup.exe-

Filesize
6.7MB

MD5
ee18dc73e5a342b992f338aa9507b8a3

SHA1
c682be60646c0fabe889023524f4a34b84ed3e24

SHA256
3284c46119f6fc4a3efa52123a32f715470fd1c59c418e210e335f086c846037

SHA512
21edd245c1f1b56224df6924a627292721e5c76d409de3ffe3b8e5d73da10c5a175632d2e832e4dca6289d0ae31daf7a28921f176b424c251a882cacacb87cce

Download Submit
memory/1884-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1884-2103-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1884-4278-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1884-4279-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1884-4283-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download