c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb

Analysis

max time kernel
80s
max time network
83s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
Size

5.2MB
MD5

1602e66dbf6c6d9d42fff718a0bdc84e
SHA1

4fff705808153dd10f5a4d0622f5356634c72084
SHA256

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb
SHA512

fff54e662ae1f753070781d0330d41276eafda1b25b3bd2bd478656fb28561c534b3a73723a2273917e3f4df9307dc9b35ae107966369cf8705ac4220c6a74a0

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

description	ioc	process
File created	C:\Windows\System32\drivers\gmreadme.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Loads dropped DLL 3 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

pid	process
1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neurax = "C:\\Windows\\System32\\Neurax.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.execmd.exe

description	ioc	process
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_profiles.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5500t.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\it-IT\Licenses\eval\HomeBasicN\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\Microsoft.Wsman.Management.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Arithmetic_Operators.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Variables.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_arrays.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\default.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasicN\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WMI_Cmdlets.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WS-Management_Cmdlets.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_job_details.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_If.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_wildcards.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_ISE.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4100t.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500at.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Comparison_Operators.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\es-ES\vofflps.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\System32\autorun.nrx	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf6x4u.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\Ultimate\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumN\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\ja-JP\Licenses\_Default\UltimateN\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\tcpbidi.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_format.ps1xml.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\fr-FR\Licenses\_Default\Enterprise\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Ref.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_eventlogs.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comparison_Operators.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\StarterN\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_pipelines.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Enterprise\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_execution_policies.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Break.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\kyw7qur2.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Drops file in Program Files directory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Drops file in Windows directory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

description	ioc	process
File created	C:\Windows\PLA\Reports\fr-FR\Report.System.Wired.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b70e81faa66c43\epgtos.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Rules.System.Summary.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_job_details.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Automatic_Variables.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_en-us_60918bf31d027127\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_WS-Management_Cmdlets.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ca708792c0c76c27\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_en-us_77f885dc30a2b58b\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_117bd8ffb46dd92c\Rules.System.Network.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_eventlogs.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpsd730t.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\Rules\Rules.System.Memory.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a462b98a69d9fae6\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Session_Configurations.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..docs-main.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4c687a0442f05be5\sdengin2.dll.mui	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\Microsoft.Wsman.Management.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_en-us_29fa16f1e581f525\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Foreach.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Assignment_Operators.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_eventlogs.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_FAQ.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e9c2f754efcb477f\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Quoting_Rules.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25fdb232f2e20c42\Rules.System.Wireless.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e_erofflps.txt_649e76ed	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_command_precedence.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9c4da920e2047ffc\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-editions-client_31bf3856ad364e35_6.1.7600.16385_none_bc037fbe81d7b074\HomeBasicEdition.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6c1ecf50d014f9d9\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0202957a15d38086\OOBE_HELP_Change_Computer_Name.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0949e9d37370d0a3\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1045\LocalizedData.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Reserved_Words.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\Microsoft.PowerShell.Security.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_789a038687e73e79\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Rules.System.Summary.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_de-de_59f90b40a942117e_erofflps.txt_649e76ed	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_properties.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_pssession_details.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_203bbba4ef78364f\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05906ea4445b6301\Rules.System.NetDiagFramework.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_modules.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Signing.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsrom.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_providers.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd474afc68c2f3e0\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.xml.Resources.dll	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\LocalizedData.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_399bb48ff329ff89\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3ffb4c3dcb07890d\Add_a_device_or_computer_to_a_network_usb.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpl7700t.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd5060t.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Language_Keywords.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\Reports\es-ES\Report.System.Memory.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\System\System Performance.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\servicing\Sessions\30953531_3771175824.back.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ef1bf7026e3473f\gadget.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_command_precedence.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exeshutdown.exe

description	pid	process
Token: 35	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
Token: SeShutdownPrivilege	1148	shutdown.exe
Token: SeRemoteShutdownPrivilege	1148	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exec299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 1612	748	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
PID 748 wrote to memory of 1612	748	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
PID 748 wrote to memory of 1612	748	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
PID 1612 wrote to memory of 1640	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1640	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1640	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1640 wrote to memory of 1756	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1756	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1756	1640	cmd.exe	reg.exe
PID 1612 wrote to memory of 2016	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 2016	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 2016	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1684	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1684	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1684	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1036	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1036	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1036	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1580	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1580	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1580	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 520	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 520	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 520	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1108	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1108	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1108	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 700	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 700	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 700	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1252	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1252	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1252	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 780	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 780	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 780	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1360	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1360	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1360	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1972	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1972	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1972	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1044	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1044	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1044	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1832	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1832	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1832	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1544	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1544	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1544	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1328	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1328	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1328	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1280	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1280	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1280	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1016	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1016	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 1016	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 1612 wrote to memory of 952	1612	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
"C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
"C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe"
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1
4⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink" /Q
3⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\BackupSelect.cfg" /Q
3⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\BackupSend.ico" /Q
3⤵
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\BlockPop.tiff" /Q
3⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\ConnectSelect.hta" /Q
3⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\CopyConvertFrom.wav" /Q
3⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\DenySync.zip" /Q
3⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\FormatConfirm.inf" /Q
3⤵
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\GrantUnprotect.mpeg3" /Q
3⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\ImportBlock.snd" /Q
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\LockResume.asx" /Q
3⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\MoveUnpublish.jpe" /Q
3⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\ReceiveComplete.xltx" /Q
3⤵
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\RepairEdit.ppt" /Q
3⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\RepairInvoke.crw" /Q
3⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\SearchRegister.wmf" /Q
3⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\SelectConvertTo.jtx" /Q
3⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\StartInitialize.au" /Q
3⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\UpdateComplete.doc" /Q
3⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Links\Desktop.lnk" /Q
3⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink" /Q
3⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\Adobe Reader 9.lnk" /Q
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\Firefox.lnk" /Q
3⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\Google Chrome.lnk" /Q
3⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\VLC media player.lnk" /Q
3⤵
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\autorun.nrx" C:\Windows\System32\autorun.nrx
3⤵
- Drops file in System32 directory
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\worm2.jpg" C:\Windows\System32\worm2.jpg
3⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Neurax.exe" C:\Windows\System32\Neurax.exe
3⤵
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Neurax /t REG_SZ /d "C:\Windows\System32\Neurax.exe"
3⤵
PID:1972

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Neurax /t REG_SZ /d "C:\Windows\System32\Neurax.exe"
4⤵
- Adds Run key to start application
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown /r
3⤵
PID:432

C:\Windows\system32\shutdown.exe
shutdown /r
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1668

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI7482\Neurax.exe.manifest
Filesize
1KB

MD5
e2579e73fb1c89963e61f8bc5a684cd1

SHA1
71541f76cb551ba619f46c5f28df06d29cce77a2

SHA256
8afa8a79744dc52faea860e68caa311f15f37734de3494643ed04e748e475cd9

SHA512
9a6cea355d9825748c17b4df3574c015b07420276e460157dcf4b26da227caf8914aafdfc1f2443e16e2c6ba115258337a4fb10970e24f2188e157810a331d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7482\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7482\_ctypes.pyd
Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7482\base_library.zip
Filesize
766KB

MD5
b48d9123e8ff01087d28f2c2acc1643f

SHA1
2058a1779bcee55dd4e62096e1303371855f1624

SHA256
75cc1a3b419d5f1116b7afceef199e12ad3f56c3164c2e9aeb51a7be8dd39785

SHA512
229c08111b7c57154e27da0a5ef61945aeb98f2287f3bec4f32bdd0f898861dbf46750d54ecb2f5930985ce30360e474780fd8254b8702375146cf7529d5e987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7482\python37.dll
Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.nrx
Filesize
100B

MD5
38ecd4e05e7fb0bddd0befe1bddac8f3

SHA1
45a7e3b233d051e0d197582ad7e4535ae2691327

SHA256
375768d8613699967fef849313c107164e666a49087a5a9a40ca6e05e9dda825

SHA512
a6425ba7c80ff2f03669c06082ccf8a9fb0ae87a6086061a1b47f58ad828b9777ed7e9c577ab2fd56811c84908081b3d7091f5a901ca657b1b2f56e1d06a03b5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7482\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7482\_ctypes.pyd
Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7482\python37.dll
Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
memory/432-97-0x0000000000000000-mapping.dmp

Download
memory/520-69-0x0000000000000000-mapping.dmp

Download
memory/668-93-0x0000000000000000-mapping.dmp

Download
memory/700-71-0x0000000000000000-mapping.dmp

Download
memory/764-80-0x0000000000000000-mapping.dmp

Download
memory/780-73-0x0000000000000000-mapping.dmp

Download
memory/952-83-0x0000000000000000-mapping.dmp

Download
memory/1016-82-0x0000000000000000-mapping.dmp

Download
memory/1036-89-0x0000000000000000-mapping.dmp

Download
memory/1036-67-0x0000000000000000-mapping.dmp

Download
memory/1040-92-0x0000000000000000-mapping.dmp

Download
memory/1044-95-0x0000000000000000-mapping.dmp

Download
memory/1044-76-0x0000000000000000-mapping.dmp

Download
memory/1108-70-0x0000000000000000-mapping.dmp

Download
memory/1148-98-0x0000000000000000-mapping.dmp

Download
memory/1252-72-0x0000000000000000-mapping.dmp

Download
memory/1280-81-0x0000000000000000-mapping.dmp

Download
memory/1328-79-0x0000000000000000-mapping.dmp

Download
memory/1344-84-0x0000000000000000-mapping.dmp

Download
memory/1360-74-0x0000000000000000-mapping.dmp

Download
memory/1456-90-0x0000000000000000-mapping.dmp

Download
memory/1544-78-0x0000000000000000-mapping.dmp

Download
memory/1580-68-0x0000000000000000-mapping.dmp

Download
memory/1592-86-0x0000000000000000-mapping.dmp

Download
memory/1612-96-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/1612-54-0x0000000000000000-mapping.dmp

Download
memory/1640-63-0x0000000000000000-mapping.dmp

Download
memory/1684-66-0x0000000000000000-mapping.dmp

Download
memory/1684-88-0x0000000000000000-mapping.dmp

Download
memory/1756-64-0x0000000000000000-mapping.dmp

Download
memory/1832-77-0x0000000000000000-mapping.dmp

Download
memory/1972-75-0x0000000000000000-mapping.dmp

Download
memory/1972-94-0x0000000000000000-mapping.dmp

Download
memory/1996-85-0x0000000000000000-mapping.dmp

Download
memory/2016-65-0x0000000000000000-mapping.dmp

Download
memory/2016-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads