6d79b6559b7136ba9825e59b9c61f4e48374bd8f71c86b5a077f7a63456f65e3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01436f862a0dfa2289634344d00f1aa.exe
Size

401KB
MD5

c01436f862a0dfa2289634344d00f1aa
SHA1

35b4e124c061d14b66a64eec29cda3d7d0723fb6
SHA256

6d79b6559b7136ba9825e59b9c61f4e48374bd8f71c86b5a077f7a63456f65e3
SHA512

d6ca1eca17e5fc6de9f60bc9ff0df0258fbf6b255bd6e5de8b5537e912e956d3ba9bf692510b23e666d628783bdbb24489684146d744d96056abd2a50465a606
SSDEEP

6144:PGtsDPOXAdff3CgzuBrv5/EVKTTP92EW1DNvBOZUjYt:lbdfK66v5/EuT0EWFOaEt

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4112-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000700000001e59e-5.dat	upx
behavioral2/memory/4112-2783-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4112-4268-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4112-4269-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4112-4273-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\netsh.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\perfhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\attrib.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\ipconfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\logagent.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\typeperf.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\verclsid.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\write.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\takeown.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\calc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\hh.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\mspaint.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\regedt32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\SyncHost.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\dxdiag.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\wecutil.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\cttune.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\dccw.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\gpscript.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\isoburn.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\TapiUnattend.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\notepad.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\RdpSaProxy.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\sc.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\CheckNetIsolation.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\credwiz.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\doskey.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\iscsicli.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\mfpmp.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\openfiles.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\cmd.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\CredentialUIBroker.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\netiougc.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\NETSTAT.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\psr.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\recover.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\TpmInit.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\Fondue.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\grpconv.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\isoburn.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\relog.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\lodctr.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\prevhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\tracerpt.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\edpnotify.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\rasphone.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\SysWOW64\TokenBrokerCookies.exe-	c01436f862a0dfa2289634344d00f1aa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\7-Zip\7z.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\nacl_irt_x86_64.nexe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\7-Zip\7zFM.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\dotnet\dotnet.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE-	c01436f862a0dfa2289634344d00f1aa.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.153_none_4b81b20e830f375b\conhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.746_none_03030718c597d891\f\sdclt.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.153_none_6ef8a222ac00dbc2\f\TrustedInstaller.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\tpmvscmgr.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..dialoghost.appxmain_31bf3856ad364e35_10.0.19041.423_none_edab5dd3a4c202d9\f\CredDialogHost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\r\FXSSVC.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-more_31bf3856ad364e35_10.0.19041.1_none_624b5deeb86c35b8\more.com-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_10.0.19041.1_none_e0dec3877978d84a\mscorsvw.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\r\SpatialAudioLicenseSrv.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cipher_31bf3856ad364e35_10.0.19041.1_none_63078cde447629b6\cipher.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3\csrss.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..client-ui-wscollect_31bf3856ad364e35_10.0.19041.746_none_e7acb2599054dc72\r\WSCollect.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_193aab8d8b539746\Register-CimProvider.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\r\wmpshare.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\wmpshare.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.1_none_f830216e59eee182\OOBENetworkCaptivePortal.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\f\wscript.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\SecHealthUI.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\f\SecHealthUI.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_state_exe_b03f5f7f11d50a3a_10.0.19041.1_none_420589df53dc49e5\aspnet_state.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\f\winload.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3594628932065f23\f\wevtutil.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-browsercore_31bf3856ad364e35_10.0.19041.1151_none_cf9de3ecb3a8f61c\f\BrowserCore.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_4ae21b160a9d5bb2\f\CameraSettingsUIHost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.1_none_16cc981df6cf3111\WmsUserAgent.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\MusNotificationUx.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_10.0.19041.1_none_1eef5aede16ab3bc\Dism.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1_none_d1bc032a24676029\newdev.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48\lsass.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-clip_31bf3856ad364e35_10.0.19041.1_none_682199f2efbfb806\clip.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.1_none_2311dc3012116c15\OpenWith.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmsselfhealingsvc_31bf3856ad364e35_10.0.19041.1_none_31d99128a3ae3145\WmsSelfHealingSvc.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\Microsoft.AAD.BrokerPlugin.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..snotificationbroker_31bf3856ad364e35_10.0.19041.1266_none_d92abf553d8a282c\r\MusNotification.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\f\newdev.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.19041.746_none_43128ab833fd583f\bthudtask.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.19041.1_none_a2b2be7cc3d8faf5\DisplaySwitch.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\ApproveChildRequest.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\f\agentactivationruntimestarter.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\NETSTAT.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\wslconfig.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\SearchProtocolHost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\f\DataExchangeHost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.19041.1_none_20798db5235046f8\provlaunch.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_d0cf24ea634e86e3\r\explorer.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..csengine-nativehost_31bf3856ad364e35_10.0.19041.1_none_da6b9c85304fbda8\sdiagnhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.19041.264_none_7dd490aa65cdf624\r\runexehelper.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.423_none_81cc87a43da05fd1\control.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.19041.264_none_7a40d01e6ba302b9\mfpmp.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\gpupdate.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\x86_netfx4-ngentask_exe_b03f5f7f11d50a3a_4.0.15805.0_none_1bb0d4ac7da3bfe1\ngentask.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-japanese-setting_31bf3856ad364e35_10.0.19041.1_none_682105a41c3c7a6b\IMJPSET.EXE-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\r\MdmDiagnosticsTool.exe-	c01436f862a0dfa2289634344d00f1aa.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\f\gpscript.exe-	c01436f862a0dfa2289634344d00f1aa.exe

C:\Users\Admin\AppData\Local\Temp\c01436f862a0dfa2289634344d00f1aa.exe
"C:\Users\Admin\AppData\Local\Temp\c01436f862a0dfa2289634344d00f1aa.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\office2016setup.exe-

Filesize
5.4MB

MD5
538bdea39ee4ae64b959e89699433604

SHA1
27bed8152e1eb7527eb4ee4eb525a07fa8aba6db

SHA256
8634649cd095484d1c6f02a67641a8053f07cf6fd57c12b22481afbd5f9f15c5

SHA512
5b3dd77930eec3b58fa78b636b7f47ed983d9eee27f269d1cc05ae7d648c09f02bd63983ee12f1ee838adf7653ed2fe3aa3a16d780ba39d69adb565a383935eb

Download Submit
memory/4112-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4112-2783-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4112-4268-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4112-4269-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4112-4273-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download