c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-05-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
Size

5.2MB
MD5

1602e66dbf6c6d9d42fff718a0bdc84e
SHA1

4fff705808153dd10f5a4d0622f5356634c72084
SHA256

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb
SHA512

fff54e662ae1f753070781d0330d41276eafda1b25b3bd2bd478656fb28561c534b3a73723a2273917e3f4df9307dc9b35ae107966369cf8705ac4220c6a74a0

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

description	ioc	process
File created	C:\Windows\System32\drivers\gmreadme.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Loads dropped DLL 3 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

pid	process
4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neurax = "C:\\Windows\\System32\\Neurax.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.execmd.exe

description	ioc	process
File created	C:\Windows\System32\spool\tools\Microsoft Print To PDF\MPDW_devmode_map.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\en-US\default.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\de-DE\vofflps.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\wbem\xsl-mappings.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\it-IT\OOBE_HELP_Opt_in_Details.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\ja-JP\OOBE_HELP_Opt_in_Details.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DDFs\CertificateStore_DDF.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\Speech_OneCore\common\en-US\Tokens_SR_en-US-N.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\icsxml\osinfo.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\ja-JP\vofflps.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\icsxml\ipcfg.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\it-IT\privacy.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\System32\OEMDefaultAssociations.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\default.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\spool\tools\Microsoft XPS Document Writer\mxdw-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\autorun.nrx	cmd.exe
File created	C:\Windows\System32\oobe\ja-JP\OOBE_HELP_Cortana_Learn_More.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DDFs\EnrollmentStatusTrackingDDF.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\ja-jp\lpeula.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\AppxProvisioning.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\NetTrace.PLA.Diagnostics.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\icsxml\pppcfg.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\de-DE\Licenses\Volume\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\en-US\OOBE_HELP_Cortana_Learn_More.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\de-DE\lipeula.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\integrator.exe_Rules.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\spool\tools\Microsoft Print To PDF\MPDW-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\SystemResetPlatform\SystemResetPlugins.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\System32\MsDtc\Trace\msdtcvtr.bat	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\default.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\es-ES\lipeula.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\fr-FR\Licenses\Volume\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ProcessMitigations\Microsoft.ProcessMitigations.Commands.dll-Help.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\System32\autorun.nrx	cmd.exe
File created	C:\Windows\System32\ja-jp\Licenses\_Default\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\it-IT\Licenses\OEM\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\Speech_OneCore\common\tokens.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\NarratorControlTemplates.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\Licenses\neutral\_Default\Professional\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\System32\oobe\en-US\vofflps.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\icsxml\potscfg.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Drops file in Program Files directory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinResearcher.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\3DViewerProductDescription-universal.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\BIEvents.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\3DViewerProductDescription-universal.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\3DViewerProductDescription-universal.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Drops file in Windows directory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\Reports\Report.System.Network.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\Rules\it-IT\Rules.System.Wireless.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\wsmanconfig_schema.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f727312db940011.manifest	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..sslockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7014825cdc7916b8\f\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appx-alluserstore_31bf3856ad364e35_10.0.19041.1266_none_989c3d3cad2576b4\AppxProvisioning.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e149786fa07e68ce\lipeula.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ctionflow.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_4d3bd653a974d501\f\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\tokens_esMX.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.xml.Resources.dll	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-core_31bf3856ad364e35_10.0.19041.1266_none_9b0ab05d400833e1\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_e73f0197262d9fec\GlobalInstallOrder.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_10.0.19041.1_none_a3894f289a50398f\ThirdPartyNotices.MSHWLatin.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.xml_v4.0_4.0.0.0_b77a5c561934e089_ec23d9a7ad53e8b2.cdf-ms	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\diagnostics\index\IESecurityDiagnostic.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.xml.resources.dll	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..tscontrol.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bcf0807cccfa0873\r\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\IoTEnterpriseEdition.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1_none_b69476ac0b81dec5\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..iondialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_5f1081b1c1cd1c92\r\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncutil_31bf3856ad364e35_10.0.19041.746_none_aed5253f365b5b9c\LiveDomainList.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\19.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Network.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsfra.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\diagnostics\index\PCWDiagnostic.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\tokens_deDE.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\ASPNET_schema.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\f\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_daa225006716fab2\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7cc7a40d5a320c8d\license.rtf	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..trolpanel.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d23715c9ea6f2f2c\r\appxmanifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.appxsetup_31bf3856ad364e35_10.0.19041.1_none_593baf0978e6233c\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\msil_system.xml.resources_b77a5c561934e089_10.0.19041.1_fr-fr_65a8da41cefa688a\System.xml.Resources.dll	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftLync2013Win32.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\GlobalInstallOrder.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7\ThirdPartyNotices.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\Manifests\msil_system.xml.linq_b77a5c561934e089_10.0.19041.1_none_80ab7c5eb22ad5ad.manifest	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\Reports\Report.System.NetTrace.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..xtservice.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c429f54b07aa1ba4\r\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ment-enterprisecsps_31bf3856ad364e35_10.0.19041.153_none_2a1e6a613d7771a3\CertificateStore_DDF.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.CPU.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..docs-main.resources_31bf3856ad364e35_10.0.19041.1_es-es_1985299afe98dfd9\sdrsvc.dll.mui	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\r\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..xtservice.appxsetup_31bf3856ad364e35_10.0.19041.1_none_05434c40f1e33617\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\wpr.config.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ae1a3f14dc8289ff\Rules.AD.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..t-browser.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_9335233f4761b170\f\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.CPU.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\base_rtl.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms004.inf_31bf3856ad364e35_10.0.19041.1_none_f59945c05aa85d79\Amd64\unisharev4-pipelineconfig.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-onecoreuap-wlansvc_31bf3856ad364e35_10.0.19041.153_none_20cb28a4512c2591\Report.System.Wireless.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\categories.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsnor.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05\r\DefaultLayouts.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PrintDialog\appxblockmap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..userpredictionmodel_31bf3856ad364e35_10.0.19041.1_none_42c9bed4b6bd2e16\SBCModel.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\PLA\Rules\de-DE\Rules.System.Diagnostics.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..bviewhost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_1277eb7f6aa856b4\r\AppxManifest.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxsetup_31bf3856ad364e35_10.0.19041.1_none_38b4bf057e9fa0fb\AppxBlockMap.xml	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
File created	C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\about_BeforeEach_AfterEach.help.txt	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "13"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exeshutdown.exe

description	pid	process
Token: 35	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
Token: SeShutdownPrivilege	5048	shutdown.exe
Token: SeRemoteShutdownPrivilege	5048	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4268 LogonUI.exe

pid	process
4268	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exec299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 4264	1084	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
PID 1084 wrote to memory of 4264	1084	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
PID 4264 wrote to memory of 4660	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4660	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4660 wrote to memory of 3852	4660	cmd.exe	reg.exe
PID 4660 wrote to memory of 3852	4660	cmd.exe	reg.exe
PID 4264 wrote to memory of 520	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 520	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 372	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 372	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2164	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2164	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4552	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4552	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 5104	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 5104	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4756	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4756	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3404	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3404	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 204	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 204	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1568	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1568	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2064	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2064	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2596	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2596	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3312	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3312	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1548	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1548	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4612	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4612	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4972	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4972	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3556	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3556	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3368	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3368	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4484	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4484	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2872	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2872	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2948	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2948	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4904	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4904	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1308	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1308	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3096	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 3096	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2896	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2896	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1880	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1880	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2212	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2212	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4312	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 4312	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2444	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 2444	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1140	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe
PID 4264 wrote to memory of 1140	4264	c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
"C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe
"C:\Users\Admin\AppData\Local\Temp\c299cc09abfb6ae932031148e8726680d8935cba50bf6661bb6ed21fcb1801bb.exe"
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1
3⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1
4⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink" /Q
3⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\ApproveBackup.m1v" /Q
3⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\AssertCompress.pcx" /Q
3⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\ConfirmInstall.scf" /Q
3⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\ConvertFromLock.mhtml" /Q
3⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\DisableUninstall.wmf" /Q
3⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\DismountDisable.png" /Q
3⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\FindConvert.ADT" /Q
3⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\GrantClose.dib" /Q
3⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\InvokeTrace.3gp2" /Q
3⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\Microsoft Edge.lnk" /Q
3⤵
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\OutSwitch.bin" /Q
3⤵
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\PingEdit.wmf" /Q
3⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\PingUse.vsx" /Q
3⤵
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\RedoRegister.html" /Q
3⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\RemoveConvertTo.css" /Q
3⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\RestartLimit.wmx" /Q
3⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\SearchProtect.contact" /Q
3⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\SelectSplit.rtf" /Q
3⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\SetPop.eps" /Q
3⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\SplitOpen.dll" /Q
3⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\StepRequest.m4a" /Q
3⤵
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\StopConfirm.rtf" /Q
3⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\UninstallPush.bat" /Q
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\UnregisterRestart.emf" /Q
3⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Desktop\UseReset.TS" /Q
3⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\Links\Desktop.lnk" /Q
3⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink" /Q
3⤵
PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\Acrobat Reader DC.lnk" /Q
3⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\Firefox.lnk" /Q
3⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\Google Chrome.lnk" /Q
3⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Public\Desktop\VLC media player.lnk" /Q
3⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\autorun.nrx" C:\Windows\System32\autorun.nrx
3⤵
- Drops file in System32 directory
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\worm2.jpg" C:\Windows\System32\worm2.jpg
3⤵
PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Neurax.exe" C:\Windows\System32\Neurax.exe
3⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Neurax /t REG_SZ /d "C:\Windows\System32\Neurax.exe"
3⤵
PID:4976

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Neurax /t REG_SZ /d "C:\Windows\System32\Neurax.exe"
4⤵
- Adds Run key to start application
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown /r
3⤵
PID:2056

C:\Windows\system32\shutdown.exe
shutdown /r
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3959055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10842\Neurax.exe.manifest
Filesize
1KB

MD5
e2579e73fb1c89963e61f8bc5a684cd1

SHA1
71541f76cb551ba619f46c5f28df06d29cce77a2

SHA256
8afa8a79744dc52faea860e68caa311f15f37734de3494643ed04e748e475cd9

SHA512
9a6cea355d9825748c17b4df3574c015b07420276e460157dcf4b26da227caf8914aafdfc1f2443e16e2c6ba115258337a4fb10970e24f2188e157810a331d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_ctypes.pyd
Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_ctypes.pyd
Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\base_library.zip
Filesize
766KB

MD5
b48d9123e8ff01087d28f2c2acc1643f

SHA1
2058a1779bcee55dd4e62096e1303371855f1624

SHA256
75cc1a3b419d5f1116b7afceef199e12ad3f56c3164c2e9aeb51a7be8dd39785

SHA512
229c08111b7c57154e27da0a5ef61945aeb98f2287f3bec4f32bdd0f898861dbf46750d54ecb2f5930985ce30360e474780fd8254b8702375146cf7529d5e987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\python37.dll
Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\python37.dll
Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.nrx
Filesize
61B

MD5
17b7e747e7579c2b52c1489e2786788c

SHA1
0d923c9024970265495a6d3c2855abeb8381ee52

SHA256
980de193f5adf9eecd04710974c0f34faa7c15c310ecb91e8cbaf54890d06499

SHA512
b9f30849505e13080317c9ca521e4f3546705c1c19a603b11156beaa94a9b82e2c601b6b48dd1743e7ecbb4efa8d40577b6cc7e41bda4ae9953daa99b2570b89

Download Submit
memory/204-148-0x0000000000000000-mapping.dmp

Download
memory/372-142-0x0000000000000000-mapping.dmp

Download
memory/520-141-0x0000000000000000-mapping.dmp

Download
memory/1140-169-0x0000000000000000-mapping.dmp

Download
memory/1180-170-0x0000000000000000-mapping.dmp

Download
memory/1308-162-0x0000000000000000-mapping.dmp

Download
memory/1548-153-0x0000000000000000-mapping.dmp

Download
memory/1568-149-0x0000000000000000-mapping.dmp

Download
memory/1880-165-0x0000000000000000-mapping.dmp

Download
memory/2056-179-0x0000000000000000-mapping.dmp

Download
memory/2064-150-0x0000000000000000-mapping.dmp

Download
memory/2164-143-0x0000000000000000-mapping.dmp

Download
memory/2212-166-0x0000000000000000-mapping.dmp

Download
memory/2408-172-0x0000000000000000-mapping.dmp

Download
memory/2444-168-0x0000000000000000-mapping.dmp

Download
memory/2596-151-0x0000000000000000-mapping.dmp

Download
memory/2872-159-0x0000000000000000-mapping.dmp

Download
memory/2896-164-0x0000000000000000-mapping.dmp

Download
memory/2948-160-0x0000000000000000-mapping.dmp

Download
memory/3096-163-0x0000000000000000-mapping.dmp

Download
memory/3312-152-0x0000000000000000-mapping.dmp

Download
memory/3368-157-0x0000000000000000-mapping.dmp

Download
memory/3404-147-0x0000000000000000-mapping.dmp

Download
memory/3556-156-0x0000000000000000-mapping.dmp

Download
memory/3572-171-0x0000000000000000-mapping.dmp

Download
memory/3852-140-0x0000000000000000-mapping.dmp

Download
memory/3972-173-0x0000000000000000-mapping.dmp

Download
memory/4264-130-0x0000000000000000-mapping.dmp

Download
memory/4312-167-0x0000000000000000-mapping.dmp

Download
memory/4432-176-0x0000000000000000-mapping.dmp

Download
memory/4484-158-0x0000000000000000-mapping.dmp

Download
memory/4552-144-0x0000000000000000-mapping.dmp

Download
memory/4612-154-0x0000000000000000-mapping.dmp

Download
memory/4660-139-0x0000000000000000-mapping.dmp

Download
memory/4708-175-0x0000000000000000-mapping.dmp

Download
memory/4756-146-0x0000000000000000-mapping.dmp

Download
memory/4904-161-0x0000000000000000-mapping.dmp

Download
memory/4952-178-0x0000000000000000-mapping.dmp

Download
memory/4972-155-0x0000000000000000-mapping.dmp

Download
memory/4976-177-0x0000000000000000-mapping.dmp

Download
memory/5048-180-0x0000000000000000-mapping.dmp

Download
memory/5104-145-0x0000000000000000-mapping.dmp

Download