6d79b6559b7136ba9825e59b9c61f4e48374bd8f71c86b5a077f7a63456f65e3

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01436f862a0dfa2289634344d00f1aa.exe
Size

401KB
MD5

c01436f862a0dfa2289634344d00f1aa
SHA1

35b4e124c061d14b66a64eec29cda3d7d0723fb6
SHA256

6d79b6559b7136ba9825e59b9c61f4e48374bd8f71c86b5a077f7a63456f65e3
SHA512

d6ca1eca17e5fc6de9f60bc9ff0df0258fbf6b255bd6e5de8b5537e912e956d3ba9bf692510b23e666d628783bdbb24489684146d744d96056abd2a50465a606
SSDEEP

6144:PGtsDPOXAdff3CgzuBrv5/EVKTTP92EW1DNvBOZUjYt:lbdfK66v5/EuT0EWFOaEt

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000c000000013413-6.dat	upx
behavioral1/memory/2188-3657-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2188-3661-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LocationNotifications.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\net1.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\printui.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\chkdsk.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\getmac.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\diskcomp.com-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\dvdupgrd.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\expand.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\WerFault.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\cmd.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\colorcpl.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\typeperf.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\dialer.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\iexpress.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\migwiz\PostMig.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\mobsync.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\charmap.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\DeviceProperties.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\powercfg.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\autofmt.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\ctfmon.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\RpcPing.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\secinit.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\sxstrace.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\TapiUnattend.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\chcp.com	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\mfpmp.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\prevhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\sdbinst.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\upnpcont.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\verifier.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\diantz.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\Dism.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\winrshost.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\tzutil.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\winrm.cmd	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\write.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\rundll32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\setx.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\tracerpt.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\wimserv.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\AdapterTroubleshooter.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\cmdl32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\powercfg.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\mstsc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\Ribbons.scr-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\wevtutil.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\Bubbles.scr	c01436f862a0dfa2289634344d00f1aa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre7\bin\servertool.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\7-Zip\7z.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Journal\Journal.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Mail\wab.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\7-Zip\7zFM.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	c01436f862a0dfa2289634344d00f1aa.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-com-complus-ui_31bf3856ad364e35_6.1.7600.16385_none_b07e19d8a98c26cf\dcomcnfg.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\find.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-ping_31bf3856ad364e35_6.1.7600.16385_none_9d906433a20c1949\RpcPing.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\msil_wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_dd3a06567424a01b\WsatConfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_6.1.7601.17514_none_ff178cca7f9d03eb\BdeHdCfg.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_6.1.7600.16385_none_7444913c36004801\sc.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\attrib.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-snmp-agent-service_31bf3856ad364e35_6.1.7601.17514_none_5faf9128a3432508\snmp.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_bbdd3aeb771e694e\runas.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_b55b5e1094b0283d\certutil.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_2d02b12c3d47a517\sbunattend.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tsdiscon.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_infocard_b77a5c561934e089_6.1.7601.17514_none_9fe7c337d52f2ea7\infocard.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_6.1.7601.17514_none_7d0125c85cc31d2a\rdpinit.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-compact_31bf3856ad364e35_6.1.7600.16385_none_f9cb90ee16e61ec6\compact.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-magnify_31bf3856ad364e35_6.1.7600.16385_none_6e042d8ffa037534\Magnify.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\TCPSVCS.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\ehome\CreateDisc\SBEServer.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\ehome\McrMgr.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\ehome\Mcx2Prov.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\chkntfs.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_wp_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_994532c948ec8e69\aspnet_wp.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-label_31bf3856ad364e35_6.1.7600.16385_none_b323fd6ee3f98653\label.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_06b1c513739fb828\osk.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-timeout_31bf3856ad364e35_6.1.7600.16385_none_8c3ac2e4279846be\timeout.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-tzutil_31bf3856ad364e35_6.1.7601.17514_none_9cbe849a4e275c84\tzutil.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..cationnotifications_31bf3856ad364e35_6.1.7600.16385_none_175ab6276b721d6a\LocationNotifications.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-processmodel_31bf3856ad364e35_6.1.7601.17514_none_14e7939dbb62df13\w3wp.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmdl32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_722b680e4b585656\winrs.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrs.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_6.1.7600.16385_none_e3c88f07d4c88269\InetMgr.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..estartup-fverecover_31bf3856ad364e35_6.1.7600.16385_none_ab0552bceeca5a61\BdeUnlockWizard.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541\drvinst.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_9edabb9befc6e697\powershell_ise.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\SvcIni.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9\netiougc.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff\sdbinst.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_1c0dbd69636d746a\ieUnatt.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fontview_31bf3856ad364e35_6.1.7600.16385_none_443a636317ca9b75\fontview.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-netplwiz-exe_31bf3856ad364e35_6.1.7600.16385_none_ed2d0ae971b57e8d\Netplwiz.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_6e37cb8c12652b73\ntoskrnl.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fontview_31bf3856ad364e35_6.1.7600.16385_none_a058fee6d0280cab\fontview.exe-	c01436f862a0dfa2289634344d00f1aa.exe

C:\Users\Admin\AppData\Local\Temp\c01436f862a0dfa2289634344d00f1aa.exe
"C:\Users\Admin\AppData\Local\Temp\c01436f862a0dfa2289634344d00f1aa.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe-

Filesize
1.3MB

MD5
f51d213c1829e8b75f9d310c7ab251ad

SHA1
f0cf68659c037310cc51f32c1c3dc3ce5134ae48

SHA256
6e685933637576731632a362d2992e04a8846e6e371d26a48abb41a7e7b1a766

SHA512
04ec27fc3c84668831eccd64c0c7cb30467409b27a3a48c8125f75edcac5c78276759ef5f189fbf745706912c1f9a98950d907270d7bbef7af0ad1ed99325be8

Download Submit
memory/2188-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2188-3657-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2188-3661-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download